CVE-2025-9681
BaseFortify
Publication date: 2025-08-30
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneland | o2oa | to 10.0-410 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9681 is a stored cross-site scripting (XSS) vulnerability in the O2OA application, specifically affecting the Personal Profile Page component at the endpoint `/x_program_center/jaxrs/agent`. The vulnerability occurs because user-supplied inputs, such as profile fields like name, alias, and cron, are stored without proper sanitization or neutralization. When these unsanitized inputs are later rendered by the application, malicious JavaScript code can execute in the browsers of users who view the affected profiles. This allows remote attackers to inject persistent scripts that execute whenever the data is viewed, potentially compromising user security. Exploitation requires sending crafted requests with malicious payloads, and a proof-of-concept exploit is publicly available. The vendor has acknowledged the issue and plans to fix it in a future version. [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can lead to persistent execution of malicious JavaScript in the browsers of users who view the affected personal profile pages. The impact includes theft of session tokens or sensitive user data, unauthorized actions performed on behalf of authenticated users, and potential compromise of data integrity. Because the attack is remotely exploitable and requires only some user interaction, it poses a moderate security risk. There are currently no known mitigations other than replacing the product or awaiting a vendor fix. [1, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted POST requests to the vulnerable endpoint `/x_program_center/jaxrs/agent` with malicious payloads in JSON fields such as "name", "alias", and "cron". For example, a test payload like `"><img src=1 onerror=alert(1)>` can be used to check if the input is improperly sanitized and leads to script execution when the profile is viewed. A sample curl command to test this could be: curl -X POST "http://<target>/x_program_center/jaxrs/agent" -H "Content-Type: application/json" -d '{"name": "\" ><img src=1 onerror=alert(1)> ", "alias": "\" ><img src=1 onerror=alert(1)> ", "cron": "\" ><img src=1 onerror=alert(1)> ", "isNewAgent": true}' After sending this request, viewing the affected profile page should trigger the alert if the vulnerability exists. Monitoring web traffic for such payloads or unexpected script execution can also help detect exploitation attempts. [4, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include filtering and escaping user inputs in the personal profile fields before storing them, and ensuring proper output encoding when rendering these fields in the application to prevent script execution. Since no official fix is currently available, replacing the vulnerable product with an alternative or upgrading to a fixed version once released is recommended. Additionally, monitoring and blocking suspicious POST requests to the `/x_program_center/jaxrs/agent` endpoint can help reduce exploitation risk. [1, 4, 5]