CVE-2025-9737 is a cross-site scripting (XSS) vulnerability identified in the O2OA platform, specifically affecting versions up to 10.0-410. The vulnerability resides in an unspecified function within the file /x_query_assemble_designer/jaxrs/importmodel, which is part of the Personal Profile Page component. The issue arises due to insufficient sanitization or validation of user-supplied input in the parameters description, applicationName, or queryName. An attacker can manipulate these arguments to inject malicious scripts that execute in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, although user interaction is necessary to trigger the malicious payload (e.g., by visiting a crafted URL or interacting with a maliciously crafted page). The vendor has acknowledged the issue and indicated that a fix will be included in a forthcoming version, but as of the publication date, no official patch is available. The CVSS v4.0 base score is 5.1, reflecting a medium severity level. The exploit code has been publicly disclosed, increasing the risk of exploitation, although no active exploitation in the wild has been reported yet. The vulnerability primarily threatens the confidentiality and integrity of user sessions and data by enabling attackers to steal cookies, perform actions on behalf of users, or deliver further malicious payloads.

For European organizations using O2OA, this XSS vulnerability poses a moderate risk. Exploitation could lead to session hijacking, unauthorized actions within the affected application, and potential lateral movement if the attacker leverages the compromised session to access sensitive data or internal resources. Since O2OA is a collaboration and office automation platform, the exposure of personal profile pages to XSS attacks could result in leakage of personal or corporate information. The medium severity score indicates that while the vulnerability is not critical, it can still disrupt business operations, damage user trust, and potentially lead to compliance issues under GDPR if personal data is compromised. The public availability of exploit code increases the urgency for mitigation, especially in sectors with high regulatory scrutiny or where O2OA is integrated with other critical systems.

Organizations should immediately implement input validation and output encoding controls on the affected parameters (description, applicationName, queryName) within O2OA, if possible, through configuration or temporary code adjustments. Employing Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting these parameters can provide interim protection. Monitoring web logs for unusual parameter values or script injection attempts is recommended to detect exploitation attempts early. Organizations should prioritize upgrading to the vendor's fixed version once released. Additionally, educating users to avoid clicking on suspicious links related to O2OA and enforcing strict Content Security Policies (CSP) can reduce the impact of XSS attacks. Regular security assessments and penetration testing focused on web application inputs should be conducted to identify similar vulnerabilities proactively.