CVE-2025-9734 is a medium-severity Cross Site Scripting (XSS) vulnerability affecting O2OA versions up to 10.0-410. The vulnerability resides in an unspecified function within the file /x_query_assemble_designer/jaxrs/stat, part of the Personal Profile Page component. Specifically, the flaw arises from improper sanitization or validation of user-controllable input parameters such as name, alias, description, and applicationName. An attacker can remotely craft malicious input to these parameters, which is then reflected in the web application without adequate encoding or filtering, enabling the execution of arbitrary JavaScript code in the context of the victim’s browser. The vulnerability does not require authentication (PR:L) but does require user interaction (UI:P), such as clicking a crafted link or visiting a malicious page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), and partial impact on integrity (VI:L) but no impact on confidentiality or availability. The vendor has acknowledged the issue and plans to fix it in a future release, but no patch is currently available. Public exploit code has been released, increasing the risk of exploitation, although no active exploitation in the wild has been reported yet. This vulnerability could be leveraged to steal session cookies, perform actions on behalf of authenticated users, or conduct phishing attacks by injecting malicious scripts into the application interface.

For European organizations using O2OA, this XSS vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Attackers could exploit this flaw to hijack user sessions, steal sensitive information, or manipulate user interactions within the application. This is particularly concerning for organizations that rely on O2OA for internal collaboration, personal profile management, or business-critical workflows, as successful exploitation could lead to unauthorized access or data leakage. The remote exploitability and lack of required privileges mean that attackers do not need to be authenticated, increasing the attack surface. The requirement for user interaction somewhat limits automated exploitation but does not eliminate risk, especially in environments where social engineering or phishing campaigns are common. The medium severity rating reflects a moderate but tangible threat, which could be escalated if combined with other vulnerabilities or misconfigurations. European entities in sectors such as government, finance, healthcare, and technology that use O2OA should be particularly vigilant, as compromise could lead to regulatory non-compliance (e.g., GDPR violations) and reputational damage.

Given the absence of an official patch at this time, European organizations should implement several targeted mitigations: 1) Apply strict input validation and output encoding on the affected parameters (name, alias, description, applicationName) at the application or web server level, using web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting these inputs. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 3) Educate users about the risks of clicking on suspicious links or interacting with untrusted content, as user interaction is required for exploitation. 4) Monitor application logs and network traffic for anomalous requests targeting the vulnerable endpoint (/x_query_assemble_designer/jaxrs/stat). 5) Isolate or restrict access to the Personal Profile Page component where feasible, limiting exposure. 6) Plan and prioritize upgrading to the fixed version once the vendor releases the patch. 7) Conduct regular security assessments and penetration testing focused on XSS vulnerabilities to identify and remediate similar issues proactively.