CVE-2024-7327

Name of the Vulnerable Software and Affected Versions Xinhu RockOA version 2.6.2

Description A critical issue was found in the function dataAction of the file /webmain/task/openapi/openmodhetongAction.php. The manipulation of the argument nickName leads to sql injection. The attack can be initiated remotely. The issue has been publicly disclosed and may be exploited. The vendor was contacted about this disclosure but did not respond.

Recommendations For Xinhu RockOA version 2.6.2, as a temporary workaround, consider restricting access to the dataAction function in the /webmain/task/openapi/openmodhetongAction.php file until a patch is available. Avoid using the nickName argument in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.