CVE-2025-9716
BaseFortify
Publication date: 2025-08-31
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoneland | o2oa | to 10.0-410 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9716 is a stored cross-site scripting (XSS) vulnerability in the O2OA application up to version 10.0-410. It occurs in the Personal Profile Page component at the endpoint /x_processplatform_assemble_designer/jaxrs/form. The vulnerability arises because user inputs in fields like name, alias, and description are not properly sanitized before being stored and later rendered. This allows attackers to inject malicious JavaScript code that executes whenever the affected data is viewed, potentially compromising user sessions and data integrity. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to persistent execution of malicious JavaScript in users' browsers when they view the affected profile data. This can result in theft of session tokens, exposure of sensitive user data, and unauthorized actions performed on behalf of authenticated users. The attack can be initiated remotely and requires user interaction to trigger the malicious script. Exploitation is straightforward due to publicly available proof-of-concept code. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the vulnerable endpoint `/x_processplatform_assemble_designer/jaxrs/form` for stored cross-site scripting (XSS) by sending crafted POST requests with malicious script payloads in fields such as "name", "alias", or "description". For example, you can use curl to send a JSON payload containing an XSS vector like `<img src=1 onerror=alert(1)>` to the endpoint and then check if the script executes when viewing the affected profile page. Example command: `curl -X POST -H "Content-Type: application/json" -d '{"name":"<img src=1 onerror=alert(1)>", "alias":"test", "description":"desc"}' https://your-o2oa-instance/x_processplatform_assemble_designer/jaxrs/form`. Monitoring web application logs for suspicious input patterns or unexpected script tags in profile fields can also help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of the affected version of O2OA (up to 10.0-410) until a patched version is released. Since no official mitigations or countermeasures are currently available, consider replacing or disabling the vulnerable component to prevent exploitation. Additionally, monitor and filter user inputs to the vulnerable endpoint to block malicious scripts, and apply output encoding or sanitization if possible. The vendor has acknowledged the issue and plans to fix it in a future version, so plan to update as soon as a patch is available. [2, 3]