CVE-2025-10274
Description
A security flaw has been discovered in erjinzhi 10OA 1.0. Affected by this issue is some unknown functionality of the file /trial/mvc/item. Performing manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in erjinzhi 10OA 1.0 allows remote attackers to inject arbitrary JavaScript via the Name parameter.
Vulnerability
Description A reflected cross-site scripting (XSS) vulnerability exists in erjinzhi 10OA version 1.0, specifically in the /trial/mvc/item endpoint. The Name GET parameter is not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript code that is immediately reflected back in the server's response [1].
Exploitation
Exploitation requires no authentication and can be initiated remotely. The attacker can craft a malicious URL containing a payload in the Name parameter, such as <A%09ONmouSEoveR+=+a=prompt,a()>v3dm0s, which executes when a victim hovers over the injected element [1]. No special privileges or network access are needed beyond a standard web browser.
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, or phishing attacks, potentially compromising user accounts and sensitive information [1].
Mitigation
The vendor was contacted but did not respond, and no official patch has been released. As a result, users of 10OA 1.0 are advised to implement input validation and output encoding on the Name parameter, or consider alternative solutions until a fix is provided [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/1276486/CVE/issues/9nvdExploitIssue TrackingThird Party Advisory
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdThird Party AdvisoryVDB Entry
- vuldb.comnvdPermissions RequiredVDB Entry
News mentions
0No linked articles in our index yet.