CVE-2025-9719
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-31

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-31
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-08-31
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9719
EUVD
EUVD-2025-28881
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoneland o2oa to 10.0-410 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9719 is a stored cross-site scripting (XSS) vulnerability in O2OA versions up to 10.0-410, specifically in the Personal Profile Page component. It occurs because user inputs in fields like name, alias, description, and applicationName are not properly sanitized before being stored and later rendered. This allows attackers to inject malicious scripts that execute persistently when other users view the affected profile page, potentially compromising user data and application integrity. [1, 2, 3]

Impact Analysis

This vulnerability can lead to persistent execution of malicious JavaScript in the browsers of users who view the compromised profile pages. This can result in theft of session tokens, exposure of sensitive user data, and unauthorized actions performed on behalf of authenticated users. The attack can be executed remotely and requires some user interaction, making it a significant risk to data integrity and user security. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoint `/x_processplatform_assemble_designer/jaxrs/script` for stored cross-site scripting (XSS) by sending crafted POST requests with malicious script payloads in the fields name, alias, description, or applicationName. For example, you can use curl to send a JSON payload containing a script or an image tag with an onerror event to see if the script executes when the profile is viewed. Example command: curl -X POST -H "Content-Type: application/json" -d '{"name":"<img src=x onerror=alert(1)>"}' https://your-o2oa-instance/x_processplatform_assemble_designer/jaxrs/script. Monitoring HTTP traffic for suspicious payloads or unexpected script execution in user profiles can also help detect exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include filtering and escaping user inputs in the affected profile fields (name, alias, description, applicationName) before storing them, and ensuring proper output encoding when rendering these fields to prevent script execution. If possible, consider disabling or restricting access to the vulnerable endpoint until a patch or update is available. Since no known countermeasures or official patches are identified, replacing the affected product or applying custom input sanitization and output encoding is recommended to reduce risk. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9719. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart