CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1501 – RockOA acloudCosAction.php.SQL runAction unrestricted upload
https://notcve.org/view.php?id=CVE-2023-1501
A vulnerability, which was classified as critical, was found in RockOA 2.3.2. This affects the function runAction of the file acloudCosAction.php.SQL. The manipulation of the argument fileid leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/xieqiangweb/cve/blob/master/cve/Rockoa.md https://vuldb.com/?ctiid.223401 https://vuldb.com/?id.223401 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-20593
https://notcve.org/view.php?id=CVE-2020-20593
A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an administrator account. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en Rockoa versión v1.9.8, permite a un atacante autenticado añadir arbitrariamente una cuenta de administrador • http://www.rockoa.com/view_demo.html https://github.com/alixiaowei/alixiaowei.github.io/issues/1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18716
https://notcve.org/view.php?id=CVE-2020-18716
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordAction.php. Una inyección SQL en Rockoa versión v1.8.7, permite a atacantes remotos alcanzar privilegios debido a un filtrado impreciso de parámetros en el archivo wordAction.php • https://www.seebug.org/vuldb/ssvid-97867 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18714
https://notcve.org/view.php?id=CVE-2020-18714
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in wordModel.php's getdata function. Una inyección SQL en Rockoa versión v1.8.7, permite a atacantes remotos alcanzar privilegios debido a un filtrado impreciso de parámetros en la función getdata del archivo wordModel.php • https://www.seebug.org/vuldb/ssvid-97858 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18713
https://notcve.org/view.php?id=CVE-2020-18713
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php Una inyección SQL en Rockoa versión v1.8.7, permite a atacantes remotos alcanzar privilegios debido a un filtrado impreciso de parámetros en el archivo customerAction.php • https://www.seebug.org/vuldb/ssvid-97859 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •