CVE-2025-9658

Sažetak

A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."

Reference

https://github.com/o2oa/o2oa/issues/174
https://github.com/o2oa/o2oa/issues/174#issue-3332928772
https://github.com/o2oa/o2oa/issues/174#issuecomment-3212881333
https://vuldb.com/?ctiid.321866
https://vuldb.com/?id.321866
https://vuldb.com/?submit.637221

CVSS

Base:	4.0
Impact:	2.9
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:S/C:N/I:P/A:N

Zadnje važnije ažuriranje

29-08-2025 - 16:24

Objavljeno

29-08-2025 - 16:15