VYPR
Vendor

OA System

Products
2
CVEs
6
Across products
6
Status
Private

Products

2

Recent CVEs

6
  • CVE-2025-44033CriAug 29, 2025
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the allDirector() method declaration in src/main/java/cn/gson/oasys/mappers/AddressMapper.java

  • CVE-2025-44034HigSep 16, 2025
    risk 0.52cvss 8.0epss 0.00

    SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the alph parameters in src/main/Java/cn/gson/oasys/controller/address/AddrController

  • CVE-2025-29691MedMay 14, 2025
    risk 0.40cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the userName parameter at /login/LoginsController.java.

  • CVE-2025-29690MedMay 14, 2025
    risk 0.40cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the outtype parameter at /address/AddrController.java.

  • CVE-2025-29689MedMay 14, 2025
    risk 0.40cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the password parameter at /mail/MailController.java.

  • CVE-2025-29686MedMay 14, 2025
    risk 0.40cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability in OA System before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter at /inform/InformManageController.java.