CVE-2025-9658
BaseFortify
Publication date: 2025-08-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneland | o2oa | to 10.0-410 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9658 is a stored cross-site scripting (XSS) vulnerability in O2OA versions up to 10.0-410, specifically in the Personal Profile Page component at the endpoint /x_portal_assemble_designer/jaxrs/dict/{id}. It occurs because user-supplied input in fields like name, alias, and description is not properly sanitized before being stored and later rendered. This allows attackers to inject malicious JavaScript code that executes persistently when other users view the affected profile page. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows attackers to execute persistent malicious JavaScript in the context of the affected application. The impact includes theft of session tokens or sensitive user data, and unauthorized actions performed on behalf of authenticated users. Because the malicious scripts run in users' browsers, it can lead to compromised user accounts and data integrity issues. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable endpoint `/x_portal_assemble_designer/jaxrs/dict/{id}` for stored cross-site scripting (XSS) by sending crafted HTTP PUT requests containing malicious script payloads in the fields "name", "alias", or "description" and then verifying if the script executes when the profile is viewed. For example, you can use curl to send a test payload: curl -X PUT -H "Content-Type: application/json" -d '{"name":"<img src=1 onerror=alert(1)>"}' https://your-o2oa-instance/x_portal_assemble_designer/jaxrs/dict/{id} and then check if the alert triggers when accessing the profile page. Monitoring HTTP traffic for suspicious PUT requests to this endpoint or scanning web application inputs for unsanitized script tags can also help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include filtering and escaping user inputs in the affected profile fields (name, alias, description) before storage and ensuring proper output encoding when rendering these fields in the application interface to prevent script execution. Until a patch is released by the vendor, consider restricting access to the vulnerable endpoint, applying web application firewall (WAF) rules to block malicious payloads targeting this endpoint, and monitoring for suspicious activity. If possible, consider using alternative products or versions not affected by this vulnerability. [2, 3]