r1bbit

20 exploits Active since Jan 2025
CVE-2024-57776 GITEE MEDIUM java
JFinalOA < 2025.01.01 - Cross-Site Scripting via /apply/getEditPage?view Interface
A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.6
CVE-2024-57775 GITEE HIGH java
JFinalOA < 2025-01-01 - SQL Injection via getWorkFlowHis insid Parameter
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.
CVSS 8.8
CVE-2024-57774 GITEE MEDIUM java
JFinalOA < 2025.01.01 - Cross-Site Scripting via getBusinessUploadListPage Interface
A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57773 GITEE MEDIUM java
JFinalOA < 2025.01.01 - Cross-Site Scripting via openSelectManyUserPage Interface
A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57772 GITEE MEDIUM java
JFinalOA < 2025.01.01 - Cross-Site Scripting via /bumph/getDraftListPage
A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57771 GITEE MEDIUM java
JFinalOA < 2025.01.01 - Cross-Site Scripting via common/getEditPage?view Interface
A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 4.8
CVE-2024-57770 GITEE HIGH java
JFinalOA < 2025-01-01 - SQL Injection via oaContractApply.id Parameter
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.
CVSS 8.8
CVE-2024-57769 GITEE HIGH java
JFinalOA < 2025-01-01 - SQL Injection via borrowmoney/listData applyUser Parameter
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser.
CVSS 8.8
CVE-2024-57768 GITEE CRITICAL java
JFinalOA < 2025-01-01 - SQL Injection via validRoleKey Parameter
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.
CVSS 9.8
CVE-2025-1224 GITEE MEDIUM java
yimioa < 2024-07-04 - SQL Injection in UserMapper.xml listNameBySql Function
A vulnerability classified as critical was found in ywoa up to 2024.07.03. This vulnerability affects the function listNameBySql of the file com/cloudweb/oa/mapper/xml/UserMapper.xml. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3
CVE-2025-25590 GITEE MEDIUM java
yimioa < 2024.07.04 - SQL Injection via AddressDao.xml Mapper
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the component /mapper/xml/AddressDao.xml.
CVSS 6.1
CVE-2025-1216 GITEE MEDIUM java
yimioa < 2024-07-04 - SQL Injection via OaNoticeMapper.xml sort Argument
A vulnerability, which was classified as critical, has been found in ywoa up to 2024.07.03. This issue affects the function selectNoticeList of the file com/cloudweb/oa/mapper/xml/OaNoticeMapper.xml. The manipulation of the argument sort leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3
CVE-2025-25589 GITEE HIGH java
yimioa < v2024.07.04 - XML External Entity Injection in XMLParse.java
An XML external entity (XXE) injection vulnerability in the component /weixin/aes/XMLParse.java of yimioa before v2024.07.04 allows attackers to execute arbitrary code via supplying a crafted XML file.
CVSS 8.1
CVE-2025-25586 GITEE MEDIUM java
yimioa < 2024-07-04 - Information Disclosure via /resources/application.yml
yimioa before v2024.07.04 was discovered to contain an information disclosure vulnerability via the component /resources/application.yml.
CVSS 4.2
CVE-2025-25585 GITEE HIGH java
yimioa < 2024.07.04 - Unauthenticated Administrator Password Modification via WebSecurityConfig
Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords.
CVSS 7.3
CVE-2025-25582 GITEE MEDIUM java
yimioa < 2024-07-04 - SQL Injection via OaNoticeMapper.xml selectNoticeList()
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the selectNoticeList() method at /xml/OaNoticeMapper.xml.
CVSS 6.1
CVE-2025-25580 GITEE MEDIUM java
yimioa < 2024.07.04 - SQL Injection via listNameBySql() Method
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the listNameBySql() method at /xml/UserMapper.xml.
CVSS 6.1
CVE-2025-1227 GITEE MEDIUM java
yimioa < 2024-07-04 - SQL Injection in AddressDao.xml selectList Function
A vulnerability was found in ywoa up to 2024.07.03. It has been rated as critical. This issue affects the function selectList of the file com/cloudweb/oa/mapper/xml/AddressDao.xml. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3
CVE-2025-1226 GITEE MEDIUM java
yimioa < 2024-07-04 - Improper Authorization in /oa/setup/setup.jsp
A vulnerability was found in ywoa up to 2024.07.03. It has been declared as critical. This vulnerability affects unknown code of the file /oa/setup/setup.jsp. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 5.3
CVE-2025-1225 GITEE MEDIUM java
ywoa <2024.07.03 - XML External Entity Reference
A vulnerability, which was classified as problematic, has been found in ywoa up to 2024.07.03. This issue affects the function extract of the file c-main/src/main/java/com/redmoon/weixin/aes/XMLParse.java of the component WXCallBack Interface. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2024.07.04 is able to address this issue. It is recommended to upgrade the affected component.
CVSS 6.3