EUVD-2025-202290

SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the shouji and userid...

EUVD-2025-202293

An issue was discovered in file index.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to gain sensitive information via phpinfo via the a parameter to the index.php...

CVE-2025-63742

SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the shouji and userid...

PT-2025-50098

Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA version 2.7.0 Description An issue exists in the phpinisaveAction function within the webmain/system/cogini/coginiAction.php file. This allows authenticated users to modify PHP configuration files through the a parameter ...

CVE-2024-6939

A vulnerability was found in Xinhu RockOA 2.6.3 and classified as problematic. Affected by this issue is the function okla of the file /webmain/public/upload/tplupload.html. The manipulation of the argument callback leads to cross site scripting. The attack may be launched remotely. The exploit h...

CVE-2023-5296

A vulnerability was found in Xinhu RockOA 1.1/2.3.2/15.X3amdi and classified as problematic. Affected by this issue is some unknown functionality of the file api.php?m=reimplat=index of the component Password Handler. The manipulation leads to weak password recovery. The attack may be launched...

CVE-2023-49363

Rockoa 2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php...

RockOA cross-site scripting vulnerability (CNVD-2024-33675)

RockOA Xinhuo is an open source office OA system. A cross-site scripting vulnerability exists in RockOA 2.6.3, which originates from a callback parameter in the /webmain/public/upload/tplupload.html file containing cross-site scripting. No details of the vulnerability are available at this time...

CVE-2024-37622

Xinhu RockOA v2.6.3 has a reflected XSS vulnerability in the num parameter of /flow/flow.php. The issue is confirmed across multiple sources: Xinhu RockOA v2.6.3, with potential impact to users via an attacker-supplied input reflected in the page. Remediation guidance found in PT-2024-27679 recom...

CVE-2023-49363

Rockoa 2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php...

Sql injection

Rockoa 2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php...

CVE-2023-1773 Rockoa Configuration File webmainConfig.php code injection

A vulnerability was found in Rockoa 2.3.2. It has been declared as critical. This vulnerability affects unknown code of the file webmainConfig.php of the component Configuration File Handler. The manipulation leads to code injection. The attack can be initiated remotely. The exploit has been...