CVE-2025-9659
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9659
EUVD
EUVD-2025-26225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoneland o2oa to 10.0-410 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9659 is a stored cross-site scripting (XSS) vulnerability in O2OA versions up to 10.0-410, specifically in the /x_portal_assemble_designer/jaxrs/widget endpoint of the Personal Profile Page component. It occurs because user-supplied inputs, such as personal profile fields, are not properly sanitized before being stored and later rendered in the application. This allows attackers to inject malicious scripts that execute persistently when other users view the affected profile, potentially leading to unauthorized script execution in users' browsers. [1, 2, 3]

Impact Analysis

This vulnerability can lead to persistent execution of malicious JavaScript code in users' browsers when they view affected profiles. The impact includes theft of session tokens or sensitive data, and unauthorized actions performed on behalf of authenticated users. Since the attack can be executed remotely and requires only some user interaction, it poses a risk of compromising user data integrity and security. [1, 3]

Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoint `/x_portal_assemble_designer/jaxrs/widget` for stored cross-site scripting (XSS) by sending crafted POST requests with malicious script payloads in JSON fields such as "name", "alias", or "description". For example, you can use curl to send a payload like: curl -X POST -H "Content-Type: application/json" -d '{"name":"<img src=1 onerror=alert(1)>", "alias":"test", "description":"test"}' https://your-o2oa-instance/x_portal_assemble_designer/jaxrs/widget. If the payload executes when viewing the affected profile, the vulnerability is present. [3]

Mitigation Strategies

Immediate mitigation steps include avoiding use of the affected O2OA versions up to 10.0-410, replacing the vulnerable component with an alternative product if possible, and applying input filtering and output encoding to sanitize user inputs in profile fields before storage and rendering. Since no official fix is currently available, restricting access to the vulnerable endpoint and monitoring for suspicious activity are also recommended until a patched version is released. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart