Description
A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-01-05
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote XSS
Action: Apply Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw exists in the Cover Image Handler of Xinhu Rainrock RockOA when the fengmian argument to rock_page_gong.php is manipulated. The injected script runs in the context of any user who views the affected page, potentially enabling session hijacking, defacement or phishing. The weakness is an input validation problem (CWE‑79) that could also allow arbitrary code injection (CWE‑94).

Affected Systems

The vulnerability affects the Xinhu Rainrock RockOA product, all releases up to and including version 2.7.1. The affected component is the rock_page_gong.php script within the Cover Image Handler. Any installation running these or earlier versions is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity flaw, and the EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the flaw remotely via the web interface by sending a specially crafted fengmian parameter, and a public exploit has already been released.

Generated by OpenCVE AI on April 18, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Xinhu Rainrock RockOA to a release newer than 2.7.1 that contains the fix.
  • If no patch is available, sanitize the fengmian input and escape any output to prevent execution of injected scripts.
  • Restrict access to rock_page_gong.php to trusted administrators or employ a web application firewall to block malicious payloads.

Generated by OpenCVE AI on April 18, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rockoa:rockoa:*:*:*:*:*:*:*:*

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Rockoa
Rockoa rockoa
Rockoa xinhu
Xinhu
Xinhu rockoa
Vendors & Products Rockoa
Rockoa rockoa
Rockoa xinhu
Xinhu
Xinhu rockoa

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Xinhu Rainrock RockOA Cover Image rock_page_gong.php cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rockoa Rockoa Xinhu
Xinhu Rockoa
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T08:17:24.286Z

Reserved: 2026-01-04T17:56:33.809Z

Link: CVE-2026-0587

cve-icon Vulnrichment

Updated: 2026-01-05T21:30:08.646Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-05T11:17:42.947

Modified: 2026-01-22T16:43:40.047

Link: CVE-2026-0587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses