CVE-2025-10271

Root Cause CVE-2025-10271 describes a reflected cross-site scripting (XSS) vulnerability in erjinzhi 10OA version 1.0. The flaw resides in the /trial/mvc/finder endpoint, where the name parameter taken from GET requests is insufficiently sanitized before being reflected in the server's response. This allows an attacker to inject arbitrary JavaScript payloads [1].

Exploitation The attack is remotely exploitable without requiring any authentication or prior login. An attacker can craft a malicious URL containing a payload, such as ?catalogue=150100&field=name&name=<a/+/onmoUsEOver+=+confirm()>v3dm0s, and trick a victim into opening that link. When the victim's browser loads the response and the user performs a simple interaction like a mouse hover (due to the onmouseover event), the injected script executes in the context of the victim's session [1].

Impact Successful exploitation enables the attacker to perform actions on behalf of the authenticated user, steal sensitive session cookies or tokens, and potentially conduct phishing attacks against users of the OA system. Since the application is an office automation system, compromise could lead to exposure of internal data or unauthorized actions [1].

Mitigation The vendor was contacted but did not respond. No official patch or advisory has been released as of publication. Users should apply input sanitization and output encoding for the name parameter and all user-supplied input on affected endpoints. Because this vulnerability has been publicly disclosed with a proof of concept, it may be added to CISA's Known Exploited Vulnerabilities (KEV) catalog in the future [1].