Rockoa <2.3.3 is vulnerable to SQL Injection. The problem exists in the indexAction method in reimpAction.php.
The SQL Injection vulnerability (CWE-89) results from insufficient validation and sanitization of input data passed to the indexAction method in the reimpAction.php file. An attacker can inject malicious SQL code directly into queries executed by the application. The attack vector is network-based, requires no authentication or user interaction, making exploitation particularly simple.
An attacker can gain unauthorized access to data stored in the database, modify or delete data, and depending on the database server configuration, potentially take control of the system (full CIA triad: confidentiality, integrity, availability threatened at HIGH level).
Rockoa should be updated to version 2.3.3 or newer. If immediate update is not possible, it is recommended to restrict network access to the application and monitor traffic for SQL injection attempts.
Rockoa in versions below 2.3.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRockoa
APPRockoa< 2.3.3
Related vulnerabilities
SQL Injection w Xinhu RockOA β wyciek danych administratora
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters...
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters...
SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters...
A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an ad...