Vulnerability Description
A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be launched remotely. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zoneland | O2Oa | <= 10.0-410 |
Related Weaknesses (CWE)
References
- https://github.com/o2oa/o2oa/issues/172ExploitIssue TrackingVendor Advisory
- https://github.com/o2oa/o2oa/issues/172#issuecomment-3212882108Issue TrackingVendor Advisory
- https://vuldb.com/?ctiid.321863Permissions RequiredVDB Entry
- https://vuldb.com/?id.321863Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.637131Third Party AdvisoryVDB Entry
FAQ
What is CVE-2025-9655?
CVE-2025-9655 is a vulnerability with a CVSS score of 3.5 (LOW). A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipul...
How severe is CVE-2025-9655?
CVE-2025-9655 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-9655?
Check the references section above for vendor advisories and patch information. Affected products include: Zoneland O2Oa.