CVE-2025-9659

Public Exploit
O2OA Personal Profile widget cross site scripting

Description

A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."

Category

5.1
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
CVSS 2.0 •
Third-Party Advisory vuldb.com
Affected: n/a O2OA
Published at:
Updated at:

References

Link Tags
https://vuldb.com/?id.321867 vdb entry
https://vuldb.com/?ctiid.321867 permissions required signature
https://vuldb.com/?submit.637235 third party advisory
https://github.com/o2oa/o2oa/issues/175 issue tracking
https://github.com/o2oa/o2oa/issues/175#issuecomment-3212881171 issue tracking
https://github.com/o2oa/o2oa/issues/175#issue-3332931249 exploit issue tracking

Frequently Asked Questions

What is the severity of CVE-2025-9659?
CVE-2025-9659 has been scored as a medium severity vulnerability.
How to fix CVE-2025-9659?
To fix CVE-2025-9659, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-9659 being actively exploited in the wild?
It is possible that CVE-2025-9659 is being exploited or will be exploited in a near future based on public information.
What software or system is affected by CVE-2025-9659?
CVE-2025-9659 affects n/a O2OA.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.