CVE-2025-9737 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in an unspecified function within the /x_query_assemble_designer/jaxrs/importmodel endpoint, part of the Personal Profile Page component. The flaw arises from improper sanitization or validation of user-supplied input parameters, namely description, applicationName, and queryName. An attacker can manipulate these parameters to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability enables remote exploitation without requiring authentication, relying only on user interaction (e.g., visiting a crafted URL). The vendor has acknowledged the issue and indicated that a fix will be included in a forthcoming version. The CVSS v4.0 base score is 5.1, categorizing it as a medium severity vulnerability. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), with user interaction needed (UI:P), and limited impact on integrity (VI:L) but no impact on confidentiality or availability. The exploit code is publicly available, increasing the risk of exploitation, although no confirmed active exploitation in the wild has been reported yet. The vulnerability's presence in a personal profile page component suggests potential for session hijacking, credential theft, or further attacks such as phishing or malware delivery if exploited successfully.

For European organizations using O2OA, this XSS vulnerability poses a moderate risk. Exploitation could lead to unauthorized script execution in users' browsers, potentially resulting in session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. Given that O2OA is an enterprise collaboration and office automation platform, compromised user sessions could expose internal communications, documents, or personal data, impacting confidentiality and integrity. The medium severity rating reflects limited direct impact on system availability but significant risk to user trust and data security. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance issues and reputational damage if exploited. The public availability of exploit code increases the likelihood of opportunistic attacks, especially targeting users with low security awareness. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the vulnerability. Overall, the threat could disrupt normal business operations and lead to data breaches if not mitigated promptly.

European organizations should prioritize upgrading O2OA to the vendor's forthcoming patched version once released. Until then, implement strict input validation and output encoding on the affected parameters (description, applicationName, queryName) to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct user awareness training to recognize and avoid phishing attempts that could exploit this vulnerability. Monitor web server logs and application behavior for unusual requests targeting the /x_query_assemble_designer/jaxrs/importmodel endpoint. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting these parameters. Limit user privileges where possible to reduce the impact of compromised accounts. Finally, maintain an incident response plan to quickly address any exploitation attempts.