Vendor CVEs
O2oa
All CVEs
26 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-7291 | Med | 0.41 | 6.3 | 0.00 | Apr 28, 2026 | A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack… | ||
| CVE-2026-2074 | Med | 0.41 | 6.3 | 0.00 | Feb 7, 2026 | A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack… | ||
| CVE-2026-7292 | Med | 0.36 | 5.6 | 0.00 | Apr 28, 2026 | A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather… | ||
| CVE-2025-9737 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A vulnerability was detected in O2OA up to 10.0-410. Affected is an unknown function of the file /x_query_assemble_designer/jaxrs/importmodel of the component Personal Profile Page. Performing manipulation of the argument description/applicationName/queryName results in cross… | ||
| CVE-2025-9736 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A security vulnerability has been detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_query_assemble_designer/jaxrs/statement of the component Personal Profile Page. Such manipulation of the argument description/queryName leads to cross site… | ||
| CVE-2025-9735 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A weakness has been identified in O2OA up to 10.0-410. This affects an unknown function of the file /x_query_assemble_designer/jaxrs/table of the component Personal Profile Page. This manipulation of the argument description/applicationName/queryName causes cross site scripting.… | ||
| CVE-2025-9734 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A security flaw has been discovered in O2OA up to 10.0-410. The impacted element is an unknown function of the file /x_query_assemble_designer/jaxrs/stat of the component Personal Profile Page. The manipulation of the argument name/alias/description/applicationName results in… | ||
| CVE-2025-9719 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can… | ||
| CVE-2025-9718 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting.… | ||
| CVE-2025-9717 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A vulnerability was identified in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_organization_assemble_control/jaxrs/unit/ of the component Personal Profile Page. Such manipulation of the argument name/shortName/distinguishedName/pinyin/p… | ||
| CVE-2025-9716 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A vulnerability was determined in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_processplatform_assemble_designer/jaxrs/form of the component Personal Profile Page. This manipulation of the argument name/alias/description causes… | ||
| CVE-2025-9715 | Low | 0.23 | 3.5 | 0.00 | Aug 31, 2025 | A vulnerability was found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_cms_assemble_control/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack can be… | ||
| CVE-2025-9683 | Low | 0.23 | 3.5 | 0.00 | Aug 30, 2025 | A vulnerability was found in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_cms_assemble_control/jaxrs/form of the component Personal Profile Page. The manipulation results in cross site scripting. The attack may be launched remotely.… | ||
| CVE-2025-9682 | Low | 0.23 | 3.5 | 0.00 | Aug 30, 2025 | A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be… | ||
| CVE-2025-9681 | Low | 0.23 | 3.5 | 0.00 | Aug 30, 2025 | A flaw has been found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_program_center/jaxrs/agent of the component Personal Profile Page. Executing manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been… | ||
| CVE-2025-9680 | Low | 0.23 | 3.5 | 0.00 | Aug 30, 2025 | A vulnerability was detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_portal_assemble_designer/jaxrs/page of the component Personal Profile Page. Performing manipulation results in cross site scripting. The attack can be initiated remotely. The… | ||
| CVE-2025-9659 | Low | 0.23 | 3.5 | 0.00 | Aug 29, 2025 | A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely.… | ||
| CVE-2025-9658 | Low | 0.23 | 3.5 | 0.00 | Aug 29, 2025 | A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of… | ||
| CVE-2025-9657 | Low | 0.23 | 3.5 | 0.00 | Aug 29, 2025 | A vulnerability was detected in O2OA up to 10.0-410. This issue affects some unknown processing of the file /x_program_center/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack… | ||
| CVE-2025-9646 | Low | 0.23 | 3.5 | 0.00 | Aug 29, 2025 | A security flaw has been discovered in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_organization_assemble_personal/jaxrs/definition/calendarConfig. The manipulation of the argument toMonthViewName results in cross site scripting. The attack can be… | ||
| CVE-2022-22916 | 0.07 | — | 0.40 | Feb 17, 2022 | O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke. | |||
| CVE-2025-9655 | 0.00 | — | 0.00 | Aug 29, 2025 | A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack… | |||
| CVE-2024-37777 | 0.00 | — | 0.00 | Aug 27, 2025 | O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function. | |||
| CVE-2025-22994 | 0.00 | — | 0.00 | Jan 31, 2025 | O2OA 9.1.3 is vulnerable to Cross Site Scripting (XSS) in Meetings - Settings. | |||
| CVE-2024-35591 | 0.00 | — | 0.00 | May 24, 2024 | An arbitrary file upload vulnerability in O2OA v8.3.8 allows attackers to execute arbitrary code via uploading a crafted PDF file. | |||
| CVE-2023-47418 | 0.00 | — | 0.02 | Nov 30, 2023 | Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and before, allows attackers to create a new interface in the service management function to execute JavaScript. |
- risk 0.41cvss 6.3epss 0.00
A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack…
- risk 0.41cvss 6.3epss 0.00
A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack…
- risk 0.36cvss 5.6epss 0.00
A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was detected in O2OA up to 10.0-410. Affected is an unknown function of the file /x_query_assemble_designer/jaxrs/importmodel of the component Personal Profile Page. Performing manipulation of the argument description/applicationName/queryName results in cross…
- risk 0.23cvss 3.5epss 0.00
A security vulnerability has been detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_query_assemble_designer/jaxrs/statement of the component Personal Profile Page. Such manipulation of the argument description/queryName leads to cross site…
- risk 0.23cvss 3.5epss 0.00
A weakness has been identified in O2OA up to 10.0-410. This affects an unknown function of the file /x_query_assemble_designer/jaxrs/table of the component Personal Profile Page. This manipulation of the argument description/applicationName/queryName causes cross site scripting.…
- risk 0.23cvss 3.5epss 0.00
A security flaw has been discovered in O2OA up to 10.0-410. The impacted element is an unknown function of the file /x_query_assemble_designer/jaxrs/stat of the component Personal Profile Page. The manipulation of the argument name/alias/description/applicationName results in…
- risk 0.23cvss 3.5epss 0.00
A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can…
- risk 0.23cvss 3.5epss 0.00
A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting.…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was identified in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_organization_assemble_control/jaxrs/unit/ of the component Personal Profile Page. Such manipulation of the argument name/shortName/distinguishedName/pinyin/p…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was determined in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_processplatform_assemble_designer/jaxrs/form of the component Personal Profile Page. This manipulation of the argument name/alias/description causes…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_cms_assemble_control/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack can be…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_cms_assemble_control/jaxrs/form of the component Personal Profile Page. The manipulation results in cross site scripting. The attack may be launched remotely.…
- risk 0.23cvss 3.5epss 0.00
A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be…
- risk 0.23cvss 3.5epss 0.00
A flaw has been found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_program_center/jaxrs/agent of the component Personal Profile Page. Executing manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_portal_assemble_designer/jaxrs/page of the component Personal Profile Page. Performing manipulation results in cross site scripting. The attack can be initiated remotely. The…
- risk 0.23cvss 3.5epss 0.00
A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely.…
- risk 0.23cvss 3.5epss 0.00
A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was detected in O2OA up to 10.0-410. This issue affects some unknown processing of the file /x_program_center/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack…
- risk 0.23cvss 3.5epss 0.00
A security flaw has been discovered in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_organization_assemble_personal/jaxrs/definition/calendarConfig. The manipulation of the argument toMonthViewName results in cross site scripting. The attack can be…
- CVE-2022-22916Feb 17, 2022risk 0.07cvss —epss 0.40
O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.
- CVE-2025-9655Aug 29, 2025risk 0.00cvss —epss 0.00
A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack…
- CVE-2024-37777Aug 27, 2025risk 0.00cvss —epss 0.00
O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function.
- CVE-2025-22994Jan 31, 2025risk 0.00cvss —epss 0.00
O2OA 9.1.3 is vulnerable to Cross Site Scripting (XSS) in Meetings - Settings.
- CVE-2024-35591May 24, 2024risk 0.00cvss —epss 0.00
An arbitrary file upload vulnerability in O2OA v8.3.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.
- CVE-2023-47418Nov 30, 2023risk 0.00cvss —epss 0.02
Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and before, allows attackers to create a new interface in the service management function to execute JavaScript.