CVE-2025-9659
BaseFortify
Publication date: 2025-08-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneland | o2oa | to 10.0-410 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9659 is a stored cross-site scripting (XSS) vulnerability in O2OA versions up to 10.0-410, specifically in the /x_portal_assemble_designer/jaxrs/widget endpoint of the Personal Profile Page component. It occurs because user-supplied inputs, such as personal profile fields, are not properly sanitized before being stored and later rendered in the application. This allows attackers to inject malicious scripts that execute persistently when other users view the affected profile, potentially leading to unauthorized script execution in users' browsers. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to persistent execution of malicious JavaScript code in users' browsers when they view affected profiles. The impact includes theft of session tokens or sensitive data, and unauthorized actions performed on behalf of authenticated users. Since the attack can be executed remotely and requires only some user interaction, it poses a risk of compromising user data integrity and security. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable endpoint `/x_portal_assemble_designer/jaxrs/widget` for stored cross-site scripting (XSS) by sending crafted POST requests with malicious script payloads in JSON fields such as "name", "alias", or "description". For example, you can use curl to send a payload like: curl -X POST -H "Content-Type: application/json" -d '{"name":"<img src=1 onerror=alert(1)>", "alias":"test", "description":"test"}' https://your-o2oa-instance/x_portal_assemble_designer/jaxrs/widget. If the payload executes when viewing the affected profile, the vulnerability is present. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the affected O2OA versions up to 10.0-410, replacing the vulnerable component with an alternative product if possible, and applying input filtering and output encoding to sanitize user inputs in profile fields before storage and rendering. Since no official fix is currently available, restricting access to the vulnerable endpoint and monitoring for suspicious activity are also recommended until a patched version is released. [1, 3]