CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7327 – Xinhu RockOA openmodhetongAction.php dataAction sql injection
https://notcve.org/view.php?id=CVE-2024-7327
A vulnerability classified as critical was found in Xinhu RockOA 2.6.2. This vulnerability affects the function dataAction of the file /webmain/task/openapi/openmodhetongAction.php. The manipulation of the argument nickName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.273250 https://vuldb.com/?ctiid.273250 https://vuldb.com/?submit.378320 https://wiki.shikangsi.com/post/share/789dad54-851b-4ec6-a1f6-11271e30db71 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2023-5296 – Xinhu RockOA Password password recovery
https://notcve.org/view.php?id=CVE-2023-5296
A vulnerability was found in Xinhu RockOA 1.1/2.3.2/15.X3amdi and classified as problematic. Affected by this issue is some unknown functionality of the file api.php?m=reimplat&a=index of the component Password Handler. The manipulation leads to weak password recovery. The attack may be launched remotely. • https://github.com/magicwave18/vuldb/issues/1 https://vuldb.com/?ctiid.240926 https://vuldb.com/?id.240926 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •