Docsys
Monthly
A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. [CVSS 6.3 MEDIUM]
Docsys versions up to 2.02.36. contains a vulnerability that allows attackers to sql injection (CVSS 6.3).
A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. [CVSS 6.3 MEDIUM]
Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the path argument in the /Doc/deleteDoc.do endpoint, enabling deletion or access to arbitrary files outside the intended directory. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not responded to early disclosure notifications. EPSS exploitation probability is low at 0.11%, and no active exploitation in CISA KEV has been reported.
Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the 'path' parameter in the updateRealDoc function (/Doc/uploadDoc.do) to write files outside intended directories. The vulnerability affects the file upload component and has publicly available exploit code, though the low CVSS score (2.1) and minimal EPSS (0.12%) indicate limited real-world impact despite confirmed public exploitability.
SQL injection in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to execute arbitrary SQL queries via the getUserList function in /Manage/getUserList.do, enabling unauthorized data access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.
A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. [CVSS 6.3 MEDIUM]
Docsys versions up to 2.02.36. contains a vulnerability that allows attackers to sql injection (CVSS 6.3).
A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. [CVSS 6.3 MEDIUM]
Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the path argument in the /Doc/deleteDoc.do endpoint, enabling deletion or access to arbitrary files outside the intended directory. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor has not responded to early disclosure notifications. EPSS exploitation probability is low at 0.11%, and no active exploitation in CISA KEV has been reported.
Path traversal in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to manipulate the 'path' parameter in the updateRealDoc function (/Doc/uploadDoc.do) to write files outside intended directories. The vulnerability affects the file upload component and has publicly available exploit code, though the low CVSS score (2.1) and minimal EPSS (0.12%) indicate limited real-world impact despite confirmed public exploitability.
SQL injection in RainyGao DocSys up to version 2.02.36 allows authenticated remote attackers to execute arbitrary SQL queries via the getUserList function in /Manage/getUserList.do, enabling unauthorized data access with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor did not respond to early disclosure notification.