CVE-2025-9646
BaseFortify
Publication date: 2025-08-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneland | o2oa | to 10.0-410 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9646 is a stored cross-site scripting (XSS) vulnerability in the O2OA application up to version 10.0-410. It affects the endpoint /x_organization_assemble_personal/jaxrs/definition/calendarConfig, specifically the toMonthViewName field. An attacker can inject malicious JavaScript code into this field, which is stored and later rendered without proper sanitization. When a user accesses the affected calendar view, the malicious script executes in their browser. [1]
How can this vulnerability impact me? :
This vulnerability allows persistent execution of attacker-controlled JavaScript in the victim's browser. It can lead to theft of session tokens, user credentials, or other sensitive information. Attackers may also perform unauthorized actions on behalf of victims, potentially resulting in account compromise and privilege escalation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP PUT requests to the endpoint `/x_organization_assemble_personal/jaxrs/definition/calendarConfig` containing suspicious payloads in the `toMonthViewName` field, such as JavaScript injection patterns (e.g., `"><img src=1 onerror=alert('hacker')>`). You can use tools like curl or network monitoring to detect such requests. For example, a curl command to test the vulnerability might be: curl -X PUT "http://<target>/x_organization_assemble_personal/jaxrs/definition/calendarConfig" \ -H "Content-Type: application/json" \ -H "Cookie: <auth_token>" \ -d '{"toMonthViewName":"\"><img src=1 onerror=alert(\'hacker\')>"}' Additionally, inspecting web server logs or using intrusion detection systems to flag such suspicious payloads in requests to this endpoint can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/x_organization_assemble_personal/jaxrs/definition/calendarConfig` to trusted users only, applying input validation and sanitization on the `toMonthViewName` parameter to prevent injection of malicious scripts, and monitoring for suspicious activity targeting this endpoint. Since the vendor has stated that a fix will be included in a new version, plan to update to the patched version as soon as it is released. In the meantime, consider implementing web application firewall (WAF) rules to block requests containing typical XSS payloads targeting this parameter. [1]