CVE-2025-29686

Name of the Vulnerable Software and Affected Versions: OA System versions prior to 2025.01.01

Description: A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at the "/inform/InformManageController.java" endpoint.

Recommendations: For versions prior to 2025.01.01, update to version 2025.01.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the /inform/InformManageController.java endpoint or validating and sanitizing the title parameter to prevent malicious input.