CRITICALπŸ‡΅πŸ‡± Wersja polska

CVE-2025-63742

CVSS 9.8v3.1pub. 2025-12-09upd. 2025-12-12

SQL Injection vulnerability in function setwxqyAction in file webmain/task/api/loginAction.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers gain sensitive information, including administrator accounts, password hashes, database structure, and other critical data via the shouji and userid parameters.

πŸ€– AI Analysis
How it works

The vulnerability is located in the setwxqyAction function in the webmain/task/api/loginAction.php file. The shouji and userid parameters passed to this function are not properly validated or parameterized, which allows an attacker to inject malicious SQL queries. As a result, it is possible to manipulate database queries without any authentication, directly over the network.

Impact

An attacker can gain access to sensitive data, including administrator accounts, password hashes, and database structure. It is also possible to compromise data integrity or affect system availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Until the fix is implemented, it is recommended to restrict network access to the vulnerable endpoint and monitor logs for suspicious queries to the loginAction.php file.

Who is affected

Xinhu Rainrock RockOA version 2.7.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Rockoa

    APP
    Rockoa
    2.7.0
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2023-49363CRITICAL9.8PL βœ“ten sam produkt

SQL Injection w Rockoa β€” metoda indexAction w reimpAction.php

CVE-2020-18714CRITICAL9.8ten sam produkt

SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters...

CVE-2020-18716CRITICAL9.8ten sam produkt

SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters...

CVE-2020-18713CRITICAL9.8ten sam produkt

SQL Injection in Rockoa v1.8.7 allows remote attackers to gain privileges due to loose filtering of parameters...

CVE-2020-20593HIGH8.0ten sam produkt

A cross-site request forgery (CSRF) in Rockoa v1.9.8 allows an authenticated attacker to arbitrarily add an ad...

CVE-2025-63742 β€” Rockoa β€” CRITICAL β€” CVSS 9.8 | CVEbaza.pl