CVE-2025-10272

Name of the Vulnerable Software and Affected Versions: erjinzhi 10OA version 1.0

Description: A vulnerability exists in erjinzhi 10OA version 1.0. The issue involves cross site scripting caused by manipulation of the Name argument in an unknown function of the /trial/mvc/catalogue file. This manipulation can be initiated remotely. The exploit has been publicly disclosed. The vendor was contacted regarding this disclosure but did not respond.

Recommendations: As a temporary workaround, consider restricting access to the /trial/mvc/catalogue file to minimize the risk of exploitation. Sanitize the Name argument to prevent the injection of malicious scripts. Disable or remove the vulnerable function if it is not essential for the application's functionality.