CVE-2025-9931 is a cross-site scripting (XSS) vulnerability identified in Jinher OA version 1.0, specifically within the POST request handler of the /jc6/platform/sys/login!changePassWord.action endpoint. The vulnerability arises from improper sanitization or validation of the 'Account' parameter, which allows an attacker to inject malicious scripts that execute in the context of a victim's browser. This flaw can be exploited remotely without requiring authentication, and user interaction is necessary to trigger the payload (e.g., the victim must visit a crafted URL or interact with a malicious link). The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its moderate impact and ease of exploitation. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user authentication needed (AT:N). The impact primarily affects the integrity of the victim's session or data (VI:L), with no direct impact on confidentiality or availability. The exploit is publicly available, increasing the risk of exploitation, although no known active exploitation has been reported to date. Jinher OA is an office automation platform used for enterprise resource planning and internal management, making it a valuable target for attackers seeking to compromise internal corporate environments or steal session credentials via XSS attacks.

For European organizations using Jinher OA 1.0, this vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed on behalf of legitimate users. Successful exploitation could lead to unauthorized access to sensitive internal resources, manipulation of user data, or lateral movement within the corporate network. Although the vulnerability does not directly compromise system availability or confidentiality at a high level, the ability to execute arbitrary scripts in users' browsers can facilitate phishing, social engineering, or deployment of secondary malware. Given the remote exploitability and lack of authentication requirements, attackers can target employees or administrators through crafted links or emails, potentially impacting business operations and data integrity. The presence of a public exploit increases the urgency for European organizations to address this issue promptly to prevent exploitation, especially in sectors where Jinher OA is deployed for critical internal workflows.

Organizations should immediately audit their Jinher OA deployments to identify instances running version 1.0. Since no official patch links are currently provided, temporary mitigations include implementing web application firewall (WAF) rules to detect and block malicious payloads targeting the vulnerable endpoint, particularly filtering suspicious input in the 'Account' parameter of the /jc6/platform/sys/login!changePassWord.action POST requests. Input validation and output encoding should be enforced at the application level to sanitize user-supplied data and prevent script injection. Additionally, organizations should educate users about the risks of clicking on untrusted links and employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitoring logs for unusual activity related to this endpoint can help detect exploitation attempts. Finally, organizations should engage with Jinher or trusted security vendors to obtain or develop patches and plan for an upgrade to a secure version once available.