CVE-2025-9646— O2OA calendarConfig cross site scripting

CVSS 3.5 · Low EPSS 0.04% · P13 Updated Aug 29, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-9646

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

O2OA calendarConfig cross site scripting

Source: NVD (National Vulnerability Database)

Vulnerability Description

A security flaw has been discovered in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_organization_assemble_personal/jaxrs/definition/calendarConfig. The manipulation of the argument toMonthViewName results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version."

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

O2OA 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

O2OA是O2OA开源的一款企业应用开发平台。 O2OA 10.0-410及之前版本存在安全漏洞，该漏洞源于文件/x_organization_assemble_personal/jaxrs/definition/calendarConfig中参数toMonthViewName的错误操作导致跨站脚本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	O2OA	10.0-410	-

II. Public POCs for CVE-2025-9646

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-9646

请登录查看更多情报信息。

https://nvd.nist.gov/vuln/detail/CVE-2025-9646

Same Patch Batch · n/a · 2025-08-29 · 17 CVEs total

CVE-2025-9675	5.3 MEDIUM	Voice Changer App com.tuyangkeji.changevoice AndroidManifest.xml improper export of androi
CVE-2025-9672	5.3 MEDIUM	Rejseplanen App de.hafas.android.rejseplanen AndroidManifest.xml improper export of androi
CVE-2025-9604	3.7 LOW	coze-studio aes.go hard-coded key
CVE-2025-9659	3.5 LOW	O2OA Personal Profile widget cross site scripting
CVE-2025-9658	3.5 LOW	O2OA Personal Profile dict cross site scripting
CVE-2025-9657	3.5 LOW	O2OA Personal Profile script cross site scripting
CVE-2025-9655	3.5 LOW	O2OA Personal Profile person cross site scripting
CVE-2024-46916		Diebold Nixdorf Vynamic Security Suite 安全漏洞
CVE-2024-46917		Diebold Nixdorf Vynamic Security Suite 安全漏洞
CVE-2025-55580		SolidInvoice 安全漏洞
CVE-2025-55579		SolidInvoice 安全漏洞
CVE-2025-55763		CivetWeb 安全漏洞
CVE-2025-44033		oasys 安全漏洞
CVE-2023-41471		Copyparty 安全漏洞
CVE-2024-46484		TRENDnet TV-IP410 安全漏洞
CVE-2025-56577		Evope Core 安全漏洞

IV. Related Vulnerabilities

Same product: O2OA

Same vendor: n/a

Same weakness: CWE-79

V. Comments for CVE-2025-9646

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-9646— O2OA calendarConfig cross site scripting

I. Basic Information for CVE-2025-9646

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-9646

III. Intelligence Information for CVE-2025-9646

Same Patch Batch · n/a · 2025-08-29 · 17 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2025-9646

Leave a comment