CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-37624
https://notcve.org/view.php?id=CVE-2024-37624
17 Jun 2024 — Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the /chajian/inputChajian.php. component. Se descubrió que Xinhu RockOA v2.6.3 contenía una vulnerabilidad de cross site scripting (XSS) reflejado a través de /chajian/inputChajian.php. componente. • https://github.com/rainrocka/xinhu/issues/6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49363
https://notcve.org/view.php?id=CVE-2023-49363
13 Dec 2023 — Rockoa <2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php. Rockoa en versiones < 2.3.3 es vulnerable a la inyección SQL. El problema existe en el método indexAction en reimpAction.php. • https://github.com/wednesdaygogo/Vulnerability-recurrence/blob/main/rockoa%20less%20than%202.3.3%20sql%20injection%20vulnerability.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5297 – Xinhu RockOA start backup
https://notcve.org/view.php?id=CVE-2023-5297
29 Sep 2023 — A vulnerability was found in Xinhu RockOA 2.3.2. It has been classified as problematic. This affects the function start of the file task.php?m=sys|runt&a=beifen. The manipulation leads to exposure of backup file to an unauthorized control sphere. • https://github.com/magicwave18/vuldb/issues/2 • CWE-530: Exposure of Backup File to an Unauthorized Control Sphere CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2023-5296 – Xinhu RockOA Password password recovery
https://notcve.org/view.php?id=CVE-2023-5296
29 Sep 2023 — A vulnerability was found in Xinhu RockOA 1.1/2.3.2/15.X3amdi and classified as problematic. Affected by this issue is some unknown functionality of the file api.php?m=reimplat&a=index of the component Password Handler. The manipulation leads to weak password recovery. The attack may be launched remotely. • https://github.com/magicwave18/vuldb/issues/1 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-1773 – Rockoa Configuration File webmainConfig.php code injection
https://notcve.org/view.php?id=CVE-2023-1773
31 Mar 2023 — A vulnerability was found in Rockoa 2.3.2. It has been declared as critical. This vulnerability affects unknown code of the file webmainConfig.php of the component Configuration File Handler. The manipulation leads to code injection. The attack can be initiated remotely. • https://github.com/CTF-Archives/xinhu-v2.3.2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1501 – RockOA acloudCosAction.php.SQL runAction unrestricted upload
https://notcve.org/view.php?id=CVE-2023-1501
19 Mar 2023 — A vulnerability, which was classified as critical, was found in RockOA 2.3.2. This affects the function runAction of the file acloudCosAction.php.SQL. The manipulation of the argument fileid leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/xieqiangweb/cve/blob/master/cve/Rockoa.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20593
https://notcve.org/view.php?id=CVE-2020-20593
22 Dec 2021 — A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Rockoa versión v1.9.8, permite a un atacante autenticado añadir arbitrariamente una cuenta de administrador • http://www.rockoa.com/view_demo.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18716
https://notcve.org/view.php?id=CVE-2020-18716
04 Feb 2021 — SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordAction.php. Una inyección SQL en Rockoa versión v1.8.7, permite a atacantes remotos alcanzar privilegios debido a un filtrado impreciso de parámetros en el archivo wordAction.php • https://www.seebug.org/vuldb/ssvid-97867 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18714
https://notcve.org/view.php?id=CVE-2020-18714
04 Feb 2021 — SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordModel.php's getdata function. Una inyección SQL en Rockoa versión v1.8.7, permite a atacantes remotos alcanzar privilegios debido a un filtrado impreciso de parámetros en la función getdata del archivo wordModel.php • https://www.seebug.org/vuldb/ssvid-97858 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18713
https://notcve.org/view.php?id=CVE-2020-18713
04 Feb 2021 — SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php Una inyección SQL en Rockoa versión v1.8.7, permite a atacantes remotos alcanzar privilegios debido a un filtrado impreciso de parámetros en el archivo customerAction.php • https://www.seebug.org/vuldb/ssvid-97859 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •