CVE-2024-37623 – Xinhu RockOA v2.6.3 contains a reflected cross-... (How to Fix)

Q: What is the severity of CVE-2024-37623?

CVE-2024-37623 has a CVSS score of 6.1 (MEDIUM). Xinhu RockOA v2.6.3 contains a reflected cross-site scripting (XSS) vulnerability in the /kaoqin/tpl_kaoqin_locationchange.html component. This allows attackers to inject malicious scripts that execute in victims' browsers when they visit a crafted URL. Organizations using this specific version of RockOA are affected.

📋 TL;DR

Xinhu RockOA v2.6.3 contains a reflected cross-site scripting (XSS) vulnerability in the /kaoqin/tpl_kaoqin_locationchange.html component. This allows attackers to inject malicious scripts that execute in victims' browsers when they visit a crafted URL. Organizations using this specific version of RockOA are affected.

💻 Affected Systems

Products:

Xinhu RockOA

Versions: v2.6.3

Operating Systems: All platforms running RockOA

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific component mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Xinhu by Rockoa

View all CVEs affecting Xinhu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking leading to unauthorized access to the OA system, data theft, or defacement of the application interface.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking users into clicking a malicious link; no authentication needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/rainrocka/xinhu/issues/5

Restart Required: No

Instructions:

Check the GitHub issue for updates; apply any available patches or upgrade to a fixed version when released.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement server-side validation and proper output encoding for the affected component to neutralize XSS payloads.

Content Security Policy (CSP)

all

Deploy a strict CSP header to block inline scripts and restrict script sources, mitigating XSS impact.

🧯 If You Can't Patch

Restrict access to the vulnerable component using network controls or web application firewalls (WAF).
Educate users about phishing risks and avoid clicking untrusted links to the OA system.

🔍 How to Verify

Check if Vulnerable:

Test the /kaoqin/tpl_kaoqin_locationchange.html endpoint with XSS payloads like <script>alert('XSS')</script> in parameters.

Check Version:

Check the RockOA version in the application interface or configuration files.

Verify Fix Applied:

Retest with XSS payloads after applying fixes; ensure scripts do not execute and input is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /kaoqin/tpl_kaoqin_locationchange.html with script tags or encoded payloads in parameters.

Network Indicators:

HTTP requests containing malicious scripts in query strings to the vulnerable endpoint.

SIEM Query:

Example: source="web_server" AND uri="/kaoqin/tpl_kaoqin_locationchange.html" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-37623

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 17, 2024

Last Updated: April 30, 2025

🔗 References

https://github.com/rainrocka/xinhu/issues/5 Exploit,Issue Tracking,Vendor Advisory
https://github.com/rainrocka/xinhu/issues/5 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37623, you might also want to check these: