Endness

Name of the Vulnerable Software and Affected Versions: Rockoa version 1.8.7 Description: The issue allows remote attackers to gain privileges due to loose filtering of parameters in customerAction.php. This can be exploited through SQL injection. Recommendations: For Rockoa version 1.8.7, consider restricting access to the customerAction.php file until a patch is available. As a temporary workaround, ensure proper filtering and validation of parameters to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Rockoa version 1.8.7 Description: The issue allows remote attackers to gain privileges due to loose filtering of parameters in the `getdata` function of wordModel.php. Recommendations: For Rockoa version 1.8.7, consider restricting access to the `getdata` function in wordModel.php until a patch is available. As a temporary workaround, avoid using the vulnerable function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RockOA version 1.8.7 **Description** The issue allows remote attackers to obtain sensitive information due to the unsafe construction of a SQL WHERE clause in the webmain/webmainAction.php publictreestore method. This is achieved by exploiting the `pidfields` and `idfields` parameters, which enables background SQL injection. **Recommendations** For RockOA version 1.8.7, as a temporary workaround, consider restricting access to the publictreestore method in webmain/webmainAction.php to minimize the risk of exploitation. Avoid using the `pidfields` and `idfields` parameters in the affected method until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.