r1bbit

20 exploits Active since Jan 2025
CVE-2024-57776 GITEE MEDIUM java
Jfinaloa < 2025.01.01 - XSS
A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.6
CVE-2024-57775 GITEE HIGH java
Jfinaloa < 2025-01-01 - SQL Injection
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.
CVSS 8.8
CVE-2024-57774 GITEE MEDIUM java
Jfinaloa < 2025.01.01 - XSS
A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57773 GITEE MEDIUM java
Jfinaloa < 2025.01.01 - XSS
A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57772 GITEE MEDIUM java
Jfinaloa < 2025.01.01 - XSS
A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57771 GITEE MEDIUM java
Jfinaloa < 2025.01.01 - XSS
A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57770 GITEE HIGH java
Jfinaloa < 2025-01-01 - SQL Injection
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.
CVSS 8.8
CVE-2024-57769 GITEE HIGH java
Jfinaloa < 2025-01-01 - SQL Injection
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser.
CVSS 8.8
CVE-2024-57768 GITEE CRITICAL java
Jfinaloa < 2025-01-01 - SQL Injection
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.
CVSS 9.8
CVE-2025-1224 GITEE MEDIUM java
ywoa <2024.07.03 - SQL Injection
A vulnerability classified as critical was found in ywoa up to 2024.07.03. This vulnerability affects the function listNameBySql of the file com/cloudweb/oa/mapper/xml/UserMapper.xml. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3
CVE-2025-25590 GITEE MEDIUM java
R1bbit Yimioa < 2024.07.04 - SQL Injection
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the component /mapper/xml/AddressDao.xml.
CVSS 6.1
CVE-2025-1216 GITEE MEDIUM java
ywoa <2024.07.03 - SQL Injection
A vulnerability, which was classified as critical, has been found in ywoa up to 2024.07.03. This issue affects the function selectNoticeList of the file com/cloudweb/oa/mapper/xml/OaNoticeMapper.xml. The manipulation of the argument sort leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3
CVE-2025-25589 GITEE HIGH java
yimioa <2024.07.04 - RCE
An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file.
CVSS 8.1
CVE-2025-25586 GITEE MEDIUM java
R1bbit Yimioa < 2024-07-04 - Information Disclosure
yimioa before v2024.07.04 was discovered to contain an information disclosure vulnerability via the component /resources/application.yml.
CVSS 4.2
CVE-2025-25585 GITEE HIGH java
R1bbit Yimioa < 2024.07.04 - Improper Access Control
Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords.
CVSS 7.3
CVE-2025-25582 GITEE MEDIUM java
R1bbit Yimioa < 2024-07-04 - SQL Injection
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the selectNoticeList() method at /xml/OaNoticeMapper.xml.
CVSS 6.1
CVE-2025-25580 GITEE MEDIUM java
R1bbit Yimioa < 2024.07.04 - SQL Injection
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the listNameBySql() method at /xml/UserMapper.xml.
CVSS 6.1
CVE-2025-1227 GITEE MEDIUM java
ywoa <2024.07.03 - SQL Injection
A vulnerability was found in ywoa up to 2024.07.03. It has been rated as critical. This issue affects the function selectList of the file com/cloudweb/oa/mapper/xml/AddressDao.xml. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3
CVE-2025-1226 GITEE MEDIUM java
ywoa <2024.07.03 - Auth Bypass
A vulnerability was found in ywoa up to 2024.07.03. It has been declared as critical. This vulnerability affects unknown code of the file /oa/setup/setup.jsp. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 5.3
CVE-2025-1225 GITEE MEDIUM java
ywoa <2024.07.03 - XML External Entity Reference
A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03. This issue affects the function extract of the file c-main/src/main/java/com/redmoon/weixin/aes/XMLParse.java of the component WXCallBack Interface. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3