CVE-2025-63742

Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA version 2.7.0

Description A SQL Injection issue exists in the setwxqyAction function within the webmain/task/api/loginAction.php file. This allows attackers to obtain sensitive information, including administrator accounts, password hashes, and database structure, through the shouji and userid parameters.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the setwxqyAction function or the webmain/task/api/loginAction.php file. Avoid using the shouji and userid parameters in the affected API endpoint until the issue is resolved.