CVE-2025-9737

Name of the Vulnerable Software and Affected Versions O2OA versions up to 10.0-410

Description A vulnerability exists in O2OA that allows for cross site scripting. The issue is located in an unknown function within the /x query assemble designer/jaxrs/importmodel file of the Personal Profile Page component. Manipulation of the description, applicationName, and queryName arguments can trigger the vulnerability. Remote exploitation is possible. The exploit is publicly available.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.