CVE-2025-9657
BaseFortify
Publication date: 2025-08-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneland | o2oa | to 10.0-410 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9657 is a stored cross-site scripting (XSS) vulnerability in the O2OA application up to version 10.0-410. It affects the endpoint `/x_program_center/jaxrs/script` in the Personal Profile Page component. The vulnerability occurs because user inputs in fields like name, alias, and description are not properly sanitized before being stored and later rendered. This allows an attacker to inject malicious JavaScript code that executes persistently when other users view the affected profile page. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to persistent execution of malicious scripts in the browsers of users who view the compromised profile pages. The attacker can steal session tokens, access sensitive user data, or perform unauthorized actions on behalf of authenticated users. Because the attack is remotely exploitable and requires only user interaction to trigger, it poses a significant risk to user security and data integrity. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the endpoint `/x_program_center/jaxrs/script` for stored cross-site scripting (XSS) in the parameters `name`, `alias`, and `description`. A practical approach is to send a POST request with a payload containing malicious script tags (e.g., `<img src=1 onerror=alert('hacker')>`) in these fields and then observe if the script executes when the affected profile is viewed. For example, you can use curl to send such a request: `curl -X POST -H "Content-Type: application/json" -d '{"name":"<img src=1 onerror=alert(1)>","alias":"test","description":"desc"}' https://your-o2oa-instance/x_program_center/jaxrs/script?v=develop-10.0-410-3d5e0d2`. Monitoring web application responses and browser behavior for script execution confirms the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include filtering and escaping user inputs in the `name`, `alias`, and `description` fields before storing them, and ensuring proper output encoding when rendering these fields in the application to prevent script execution. Since no official patch is available yet, consider restricting access to the vulnerable endpoint, applying web application firewall (WAF) rules to block malicious payloads, and advising users to avoid interacting with untrusted profiles. Ultimately, upgrade to the fixed version once the vendor releases it. [2, 3]