CVE-2025-29688

Name of the Vulnerable Software and Affected Versions: OA System versions prior to 2025.01.01

Description: A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at the "/daymanager/daymanageabilitycontroller.java" endpoint.

Recommendations: For versions prior to 2025.01.01, update to version 2025.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/daymanager/daymanageabilitycontroller.java" endpoint to minimize the risk of exploitation. Avoid using the title parameter in the affected endpoint until the issue is resolved.