CVE-2025-9735 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in an unspecified function within the file /x_query_assemble_designer/jaxrs/table, which is part of the Personal Profile Page component. The flaw arises from improper sanitization or validation of user-controllable input parameters such as description, applicationName, or queryName. An attacker can manipulate these parameters to inject malicious scripts that execute in the context of a victim's browser when they access the affected page. This type of vulnerability enables attackers to perform actions such as session hijacking, credential theft, or delivering malicious payloads to users. The attack vector is remote and does not require authentication, though user interaction is necessary for the malicious script to execute (e.g., the victim must visit a crafted URL or page). The vendor has acknowledged the issue publicly on GitHub and indicated that a fix will be included in a forthcoming version. Currently, no official patch is available. The CVSS v4.0 base score is 5.1, categorizing this as a medium severity vulnerability. The vector metrics indicate network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, which suggests some level of privileges is needed), and user interaction required (UI:P). The impact on confidentiality is none, low on integrity, and none on availability, reflecting the typical impact profile of XSS vulnerabilities. Exploits have not been observed in the wild yet, but proof-of-concept code is publicly available, increasing the risk of exploitation.

For European organizations using O2OA, particularly those deploying version 10.0-410 or earlier, this vulnerability poses a tangible risk to user security and data integrity. The XSS flaw can be exploited to execute malicious scripts in the browsers of authenticated users, potentially leading to session hijacking, unauthorized actions within the application, or phishing attacks that could compromise user credentials. This can undermine trust in the platform, lead to data leakage, and facilitate further attacks within the network. Given that O2OA is a collaborative office automation platform, often used for internal communication and document management, exploitation could expose sensitive corporate information or disrupt business workflows. The requirement for user interaction means that social engineering or phishing campaigns could be used to lure users into triggering the exploit. Although the vulnerability does not directly impact system availability or cause data corruption, the indirect consequences of compromised user accounts or stolen credentials could be severe. Organizations in sectors with strict data protection regulations, such as finance, healthcare, or government, may face compliance risks if such an exploit leads to data breaches. The public availability of exploit code increases the urgency for mitigation, as less skilled attackers can leverage existing tools to exploit the vulnerability.

1. Immediate mitigation should focus on input validation and output encoding: Organizations should implement strict sanitization of all user-supplied inputs related to the affected parameters (description, applicationName, queryName) to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, thereby reducing the impact of potential XSS attacks. 3. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the O2OA environment to reduce successful exploitation via social engineering. 4. Monitor web application logs and user activity for unusual behavior indicative of XSS exploitation attempts. 5. Apply the vendor’s patch promptly once released; track the vendor’s GitHub repository or official channels for updates. 6. If patching is delayed, consider deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the vulnerable endpoints. 7. Review and tighten user privilege assignments since the CVSS vector indicates some privileges are required; minimizing privileges reduces attack surface. 8. Conduct regular security assessments and penetration testing focused on web application vulnerabilities to identify and remediate similar issues proactively.