Oa
Monthly
SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to manipulate the httpOID parameter of nextselectplan.aspx to inject arbitrary SQL statements. Publicly available exploit code exists per VulDB disclosure, and the vendor did not respond to coordinated disclosure attempts, increasing the window of exposure. CVSS 7.3 reflects network-reachable, low-complexity exploitation with limited confidentiality, integrity, and availability impact on the database backend.
SQL injection in Jinher OA C6's GetFormSn.aspx endpoint allows remote low-privilege authenticated attackers to manipulate the queryID parameter, potentially reading, modifying, or deleting backend database records. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. No patch exists - the vendor was notified early but did not respond, leaving no official remediation path.
SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the DeptIDList parameter in UserSel.aspx. The vulnerability permits unauthorized database access with potential for data exfiltration, modification, and limited system compromise. Public exploit code exists on GitHub (zzlln/cvecve), significantly lowering the barrier to exploitation. Vendor did not respond to disclosure, leaving patch status unknown.
SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to manipulate the httpOID parameter of nextselectplan.aspx to inject arbitrary SQL statements. Publicly available exploit code exists per VulDB disclosure, and the vendor did not respond to coordinated disclosure attempts, increasing the window of exposure. CVSS 7.3 reflects network-reachable, low-complexity exploitation with limited confidentiality, integrity, and availability impact on the database backend.
SQL injection in Jinher OA C6's GetFormSn.aspx endpoint allows remote low-privilege authenticated attackers to manipulate the queryID parameter, potentially reading, modifying, or deleting backend database records. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. No patch exists - the vendor was notified early but did not respond, leaving no official remediation path.
SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the DeptIDList parameter in UserSel.aspx. The vulnerability permits unauthorized database access with potential for data exfiltration, modification, and limited system compromise. Public exploit code exists on GitHub (zzlln/cvecve), significantly lowering the barrier to exploitation. Vendor did not respond to disclosure, leaving patch status unknown.