CVE-2025-63737

Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA version 2.7.0

Description A cross-site scripting (XSS) issue exists in the urltestAction function within the cliAction.php file. This allows attackers to inject arbitrary web scripts or HTML code through the m parameter of the /task.php API endpoint.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the /task.php endpoint.