CVE-2025-9655
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-09-16

Assigner: VulDB

Description
A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be launched remotely. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-09-16
Generated
2026-05-06
AI Q&A
2025-08-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-9655
EUVD
EUVD-2025-26204
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoneland o2oa to 10.0-410 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-9655 is a stored cross-site scripting (XSS) vulnerability in the O2OA application up to version 10.0-410. It affects the REST endpoint `/x_organization_assemble_control/jaxrs/person/{personId}`, where user inputs in personal profile fields like "description" and "signature" are not properly sanitized. Attackers can inject malicious JavaScript code into these fields, which is then stored and executed whenever the affected profile is viewed, potentially compromising users who view the profile. [1]


How can this vulnerability impact me? :

This vulnerability can lead to persistent execution of malicious JavaScript in the browsers of users who view the compromised profiles. This can result in theft of session tokens, exposure of sensitive user data, and unauthorized actions performed on behalf of authenticated users, potentially compromising user accounts and data integrity. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending crafted HTTP PUT requests to the endpoint /x_organization_assemble_control/jaxrs/person/{personId} with malicious JavaScript payloads in the 'description' or 'signature' fields and observing if the payload is stored and executed when the profile is viewed. For example, you can use curl to send a test payload like `<img src=1 onerror=alert(1)>` in the JSON body. A sample command is: curl -X PUT "http://<target>/x_organization_assemble_control/jaxrs/person/<personId>" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"description":"<img src=1 onerror=alert(1)>", "signature":"test", "otherFields":"values"}' If the payload executes when viewing the profile, the vulnerability exists. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include filtering and escaping user inputs before storing them in the system and ensuring proper output encoding when rendering profile data to prevent script execution. Additionally, restrict or sanitize inputs to the 'description' and 'signature' fields to disallow HTML or JavaScript content. Applying any available patches or upgrading to a fixed version when released is also recommended. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart