CVE-2025-9646 | O2OA up to 10.0-410 calendarConfig toMonthViewName cross site scripting (Issue 170)

A vulnerability was found in O2OA up to 10.0-410. It has been declared as problematic. This vulnerability affects unknown code of the file /x_organization_assemble_personal/jaxrs/definition/calendarConfig. The manipulation of the argument toMonthViewName results in cross site scripting.

This vulnerability is reported as CVE-2025-9646. The attack can be launched remotely. Moreover, an exploit is present.

The vendor replied in the GitHub issue (translated from simplified Chinese): “This issue will be fixed in the new version.”VulDB Recent EntriesRead More