CVE-2025-10090 Scanner

Jinher OA is an office automation software used for workflow management and collaboration within organizations. It is commonly deployed in businesses to streamline internal processes and improve efficiency. The software is designed for enterprise usage and sits within the information technology stack. Organizations from various sectors utilize Jinher OA to manage their documents and internal communications, enhancing operation management. As a self-hosted solution, it provides businesses the flexibility to control and configure their deployment as per their needs. Its widespread adoption makes it attractive to a range of businesses seeking to improve productivity and manage tasks effectively.

The SQL Injection vulnerability in Jinher OA can be exploited by remote attackers to execute arbitrary SQL commands. This serious vulnerability arises from improper validation of user inputs before executing SQL statements. By manipulating input data through various injection techniques, an attacker can gain unauthorized access to database information. Such vulnerabilities could lead to the compromise of sensitive data stored within the Jinher OA system. It is crucial for businesses using this software to understand the risks associated with poor input handling and ensure their systems are updated to mitigate such threats. Maintaining secure database operations is essential to protect organizational data from breach and manipulation.

Technically, the SQL Injection vulnerability exists due to insufficient input validation within specific endpoints of Jinher OA. An attacker can leverage this to craft requests with malicious SQL statements intended to manipulate the database. In particular, the 'GET /C6/Jhsoft.Web.departments/GetTreeDate.aspx' endpoint is vulnerable, where improper handling of the 'id' parameter allows injection. Such vulnerabilities stem from concatenating user inputs directly into SQL queries without proper sanitation. Attackers can utilize time delays in their payloads to confirm the presence of the vulnerability, as demonstrated by the request for 'WAITFOR DELAY.' Exploiting such endpoints can result in unauthorized access and modification of the database content.

Exploiting this SQL Injection vulnerability can have severe consequences for affected businesses. Unauthorized access to sensitive data such as user credentials, financial records, and confidential documents can occur. Additionally, attackers might modify or delete important data or even take control of the application's backend database. These actions could disrupt business operations, lead to data breaches, and incur significant financial and reputational damage. Organizations must prioritize security measures to detect and protect against such SQL Injection attempts to prevent compromise.

REFERENCES

• https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/D-Link/vuln-2/DIR-803%20Authentication%20Bypass.md
• https://vuldb.com/?id.335869
• https://nvd.nist.gov/vuln/detail/CVE-2025-14528