A security vulnerability has been detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_query_assemble_designer/jaxrs/statement of the component Personal Profile Page. Such manipulation of the argument description/queryName leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
History

Mon, 01 Sep 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Zoneland
Zoneland o2oa
Vendors & Products Zoneland
Zoneland o2oa

Sun, 31 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_query_assemble_designer/jaxrs/statement of the component Personal Profile Page. Such manipulation of the argument description/queryName leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
Title O2OA Personal Profile statement cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2025-09-02T15:13:58.930Z

Reserved: 2025-08-30T16:40:57.783Z

Link: CVE-2025-9736

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2025-08-31T16:15:30.930

Modified: 2025-08-31T16:15:30.930

Link: CVE-2025-9736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-09-01T09:24:50Z