CVE-2025-10272

Vulnerability

Overview

A reflected Cross-Site Scripting (XSS) vulnerability exists in erjinzhi 10OA version 1.0, specifically in the /trial/mvc/catalogue endpoint. The root cause is insufficient input sanitization of the Name parameter in GET requests. When a crafted payload is supplied, it is reflected back in the server's response and executed in the victim's browser upon user interaction, such as a mouse hover event [1].

Exploitation

The attack can be initiated remotely without requiring authentication or authorization. An attacker can craft a malicious URL containing a JavaScript payload in the Name parameter (e.g., ?name=<a/+/onmoUsEOver+=+confirm()>v3dm0s) and trick a user into clicking or hovering over the link. The payload executes in the context of the victim's browser, making this a low-complexity attack vector [1].

Impact

Successful exploitation allows an attacker to perform actions on behalf of an authenticated user, steal sensitive session data (e.g., cookies), or conduct phishing attacks against users of the OA system. Since no login is required to trigger the vulnerability, it poses a significant risk to any user visiting the affected endpoint [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released. Users are advised to implement input validation and output encoding for the Name parameter, or to restrict access to the /trial/mvc/catalogue endpoint until a fix is available [1].