VYPR

Vendor CVEs

O2oa

All CVEs

26 total · sorted by risk
  • CVE-2026-7291MedApr 28, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. It is possible to launch the attack…

  • CVE-2026-2074MedFeb 7, 2026
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack…

  • CVE-2026-7292MedApr 28, 2026
    risk 0.36cvss 5.6epss 0.00

    A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The manipulation leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather…

  • CVE-2025-9737LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was detected in O2OA up to 10.0-410. Affected is an unknown function of the file /x_query_assemble_designer/jaxrs/importmodel of the component Personal Profile Page. Performing manipulation of the argument description/applicationName/queryName results in cross…

  • CVE-2025-9736LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A security vulnerability has been detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_query_assemble_designer/jaxrs/statement of the component Personal Profile Page. Such manipulation of the argument description/queryName leads to cross site…

  • CVE-2025-9735LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A weakness has been identified in O2OA up to 10.0-410. This affects an unknown function of the file /x_query_assemble_designer/jaxrs/table of the component Personal Profile Page. This manipulation of the argument description/applicationName/queryName causes cross site scripting.…

  • CVE-2025-9734LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A security flaw has been discovered in O2OA up to 10.0-410. The impacted element is an unknown function of the file /x_query_assemble_designer/jaxrs/stat of the component Personal Profile Page. The manipulation of the argument name/alias/description/applicationName results in…

  • CVE-2025-9719LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can…

  • CVE-2025-9718LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting.…

  • CVE-2025-9717LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was identified in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_organization_assemble_control/jaxrs/unit/ of the component Personal Profile Page. Such manipulation of the argument name/shortName/distinguishedName/pinyin/p…

  • CVE-2025-9716LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was determined in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_processplatform_assemble_designer/jaxrs/form of the component Personal Profile Page. This manipulation of the argument name/alias/description causes…

  • CVE-2025-9715LowAug 31, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_cms_assemble_control/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack can be…

  • CVE-2025-9683LowAug 30, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_cms_assemble_control/jaxrs/form of the component Personal Profile Page. The manipulation results in cross site scripting. The attack may be launched remotely.…

  • CVE-2025-9682LowAug 30, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be…

  • CVE-2025-9681LowAug 30, 2025
    risk 0.23cvss 3.5epss 0.00

    A flaw has been found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_program_center/jaxrs/agent of the component Personal Profile Page. Executing manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been…

  • CVE-2025-9680LowAug 30, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_portal_assemble_designer/jaxrs/page of the component Personal Profile Page. Performing manipulation results in cross site scripting. The attack can be initiated remotely. The…

  • CVE-2025-9659LowAug 29, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely.…

  • CVE-2025-9658LowAug 29, 2025
    risk 0.23cvss 3.5epss 0.00

    A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of…

  • CVE-2025-9657LowAug 29, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was detected in O2OA up to 10.0-410. This issue affects some unknown processing of the file /x_program_center/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack…

  • CVE-2025-9646LowAug 29, 2025
    risk 0.23cvss 3.5epss 0.00

    A security flaw has been discovered in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_organization_assemble_personal/jaxrs/definition/calendarConfig. The manipulation of the argument toMonthViewName results in cross site scripting. The attack can be…

  • CVE-2022-22916Feb 17, 2022
    risk 0.07cvss epss 0.40

    O2OA v6.4.7 was discovered to contain a remote code execution (RCE) vulnerability via /x_program_center/jaxrs/invoke.

  • CVE-2025-9655Aug 29, 2025
    risk 0.00cvss epss 0.00

    A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack…

  • CVE-2024-37777Aug 27, 2025
    risk 0.00cvss epss 0.00

    O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function.

  • CVE-2025-22994Jan 31, 2025
    risk 0.00cvss epss 0.00

    O2OA 9.1.3 is vulnerable to Cross Site Scripting (XSS) in Meetings - Settings.

  • CVE-2024-35591May 24, 2024
    risk 0.00cvss epss 0.00

    An arbitrary file upload vulnerability in O2OA v8.3.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.

  • CVE-2023-47418Nov 30, 2023
    risk 0.00cvss epss 0.02

    Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and before, allows attackers to create a new interface in the service management function to execute JavaScript.