CVE-2025-9716

🗓️ 31 Aug 2025 04:32:05Reported by VulDBType

cve🔗 web.nvd.nist.gov👁 8 Views🌐 WEB

CVE-2025-9716 enables remote XSS on O2OA Personal Profile Page form up to version 10.0-410.

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2025-9716	31 Aug 202509:15	–	circl
CNNVD	O2OA 安全漏洞	31 Aug 202500:00	–	cnnvd
Cvelist	CVE-2025-9716 O2OA Personal Profile form cross site scripting	31 Aug 202504:32	–	cvelist
EUVD	EUVD-2025-26285	3 Oct 202520:07	–	euvd
NVD	CVE-2025-9716	31 Aug 202505:15	–	nvd
Positive Technologies	PT-2025-35390	31 Aug 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-9716	2 Sep 202505:40	–	redhatcve
Vulnrichment	CVE-2025-9716 O2OA Personal Profile form cross site scripting	31 Aug 202504:32	–	vulnrichment

NVD

Vulners

Node

zoneland o2oaRange≤10.0-410

[
  {
    "vendor": "n/a",
    "product": "O2OA",
    "versions": [
      {
        "version": "10.0-410",
        "status": "affected"
      }
    ],
    "modules": [
      "Personal Profile Page"
    ]
  }
]

Source	Link
vuldb	www.vuldb.com/
github	www.github.com/o2oa/o2oa/issues/182
github	www.github.com/o2oa/o2oa/issues/182
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
github	www.github.com/o2oa/o2oa/issues/182

Parameter	Position	Path	Description	CWE
name	request body	/x_processplatform_assemble_designer/jaxrs/form	Cross-site scripting due to improper handling of argument names/aliases/descriptions in form submission	CWE-79, CWE-94
alias	request body	/x_processplatform_assemble_designer/jaxrs/form	Cross-site scripting due to improper handling of argument names/aliases/descriptions in form submission	CWE-79, CWE-94
description	request body	/x_processplatform_assemble_designer/jaxrs/form	Cross-site scripting due to improper handling of argument names/aliases/descriptions in form submission	CWE-79, CWE-94

29 Apr 2026 01:00Current

4Medium risk

Vulners AI Score4

CVSS 3.13.5 - 5.4

CVSS 24

CVSS 45.1

CVSS 33.5

EPSS0.00076

SSVC