Mr-Xn

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** Error messages in RuvarOA were discovered to leak the physical path of the website, specifically at the /WorkFlow/OfficeFileUpdate.aspx endpoint. This issue can allow attackers to write files to the server or execute arbitrary commands via crafted SQL statements. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the /WorkFlow/OfficeFileUpdate.aspx endpoint until a patch is available. As a temporary workaround, avoid using crafted SQL statements that could exploit this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** A SQL injection issue was discovered via the `filename` parameter at the "/WorkFlow/OfficeFileDownload.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the "/WorkFlow/OfficeFileDownload.aspx" endpoint until a patch is available. As a temporary workaround, avoid using the `filename` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** A SQL injection issue was discovered via the `project id` parameter at the "/ProjectManage/pm gatt inc.aspx" API endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For RuvarOA versions 6.01 through 12.01, consider restricting access to the "/ProjectManage/pm gatt inc.aspx" endpoint to minimize the risk of exploitation. Avoid using the `project id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/PersonalAffair/worklog template show.aspx" API endpoint. **Recommendations** For RuvarOA versions 6.01 through 12.01, consider restricting access to the "/PersonalAffair/worklog template show.aspx" API endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/PersonalAffair/worklog template show.aspx" API endpoint. **Recommendations** For RuvarOA versions 6.01 through 12.01, consider restricting access to the "/PersonalAffair/worklog template show.aspx" API endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/WorkFlow/wf office file history show.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the "/WorkFlow/wf office file history show.aspx" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `PageID` parameter at the "/WebUtility/get find condiction.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the "/WebUtility/get find condiction.aspx" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `PageID` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. It can be exploited via the `PageID` parameter at the "/WebUtility/SearchCondiction.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the "/WebUtility/SearchCondiction.aspx" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `PageID` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** A SQL injection issue was discovered via the `bt id` parameter at the "/include/get dict.aspx" API endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For RuvarOA versions 6.01 through 12.01, consider restricting access to the "/include/get dict.aspx" API endpoint to minimize the risk of exploitation. Avoid using the `bt id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `sys file storage id` parameter at the "/WorkFlow/wf work finish file down.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the vulnerable API endpoint "/WorkFlow/wf work finish file down.aspx" to minimize the risk of exploitation. Avoid using the `sys file storage id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `tbTable` argument at the "/WebUtility/MF.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, as a temporary workaround, consider restricting access to the `/WebUtility/MF.aspx` API endpoint to minimize the risk of exploitation. Avoid using the `tbTable` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `template id` parameter at the "/WorkFlow/wf get fields approve.aspx" API endpoint. **Recommendations** For RuvarOA versions 6.01 through 12.01, consider restricting access to the "/WorkFlow/wf get fields approve.aspx" endpoint to minimize the risk of exploitation. Avoid using the `template id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** A SQL injection issue was discovered via the `idlist` parameter at the "/WorkFlow/wf work print.aspx" API endpoint. This allows for potential exploitation. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the "/WorkFlow/wf work print.aspx" API endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `idlist` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. It can be exploited via the `id` parameter at the "/SysManage/sys blogtemplate new.aspx" API endpoint. **Recommendations** For RuvarOA versions 6.01 through 12.01, consider restricting access to the "/SysManage/sys blogtemplate new.aspx" endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `txt keyword` parameter at the "get company.aspx" endpoint. **Recommendations** For versions 6.01 through 12.01, as a temporary workaround, consider restricting access to the "get company.aspx" endpoint until a patch is available. Avoid using the `txt keyword` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** A SQL injection issue was discovered via the `office missive id` parameter at the "/WorkFlow/wf work form save.aspx" API endpoint. This allows attackers to inject malicious SQL. **Recommendations** For versions 6.01 through 12.01, patch immediately and review code for proper input validation to prevent exploitation of the `office missive id` parameter in the "/WorkFlow/wf work form save.aspx" API endpoint. As a temporary workaround, consider restricting access to the vulnerable "/WorkFlow/wf work form save.aspx" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** A SQL injection issue was discovered via the `file id` parameter at the "/filemanage/file memo.aspx" API endpoint. This allows for potential exploitation. **Recommendations** For versions 6.01 through 12.01, as a temporary workaround, consider restricting access to the "/filemanage/file memo.aspx" endpoint until a patch is available. Avoid using the `file id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `sys file storage id` parameter at the "/WorkPlan/WorkPlanAttachDownLoad.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, consider disabling access to the "/WorkPlan/WorkPlanAttachDownLoad.aspx" endpoint until a patch is available. Restrict the use of the `sys file storage id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/bulletin/bulletin template show.aspx" API endpoint. **Recommendations** For versions 6.01 through 12.01, consider restricting access to the "/bulletin/bulletin template show.aspx" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `id` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RuvarOA versions 6.01 through 12.01 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `sys file storage id` parameter at the "/WorkFlow/wf file download.aspx" API endpoint. **Recommendations** For RuvarOA versions 6.01 through 12.01, consider restricting access to the "/WorkFlow/wf file download.aspx" API endpoint to minimize the risk of exploitation. Avoid using the `sys file storage id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.