CVE-2025-9682
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-30

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-30
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-08-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-9682
EUVD
EUVD-2025-26264
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoneland o2oa to 10.0-410 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-9682 is a stored cross-site scripting (XSS) vulnerability in the O2OA application up to version 10.0-410. It affects the endpoint /x_cms_assemble_control/jaxrs/design/appdict, where user input in personal profile fields is stored without proper sanitization. This allows attackers to inject malicious JavaScript code that executes persistently when other users view the affected profile, potentially compromising their browsers. [1]


How can this vulnerability impact me? :

The vulnerability can lead to persistent execution of malicious JavaScript in users' browsers, which may result in theft of session tokens or sensitive data, and unauthorized actions performed on behalf of authenticated users. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending crafted POST requests to the endpoint /x_cms_assemble_control/jaxrs/design/appdict with JSON data containing typical XSS payloads in fields like "name", "alias", and "description". For example, using curl to send a payload such as "><img src=1 onerror=alert(1)>" can help verify if the input is stored and executed. A sample command is: curl -X POST https://<target>/x_cms_assemble_control/jaxrs/design/appdict -H "Content-Type: application/json" -d '{"name":""><img src=1 onerror=alert(1)>", "alias":"test", "description":"test"}' If the payload executes when viewing the profile, the vulnerability is present. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include filtering and escaping all user inputs in the affected profile fields before storage and applying proper output encoding when rendering this data in the application. Additionally, updating to a fixed version of the software once available is recommended. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart