The vulnerability identified as CVE-2024-37622 affects Xinhu RockOA version 2.6.3, a web-based office automation platform. It is a reflected cross-site scripting (XSS) flaw located in the 'num' parameter of the /flow/flow.php script. Reflected XSS occurs when untrusted user input is immediately returned by the web application without proper sanitization or encoding, allowing an attacker to craft a malicious URL that, when visited by a victim, executes arbitrary JavaScript in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS 3.1 vector indicates the attack can be launched remotely over the network (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R), and impacts confidentiality and integrity (C:L/I:L) without affecting availability (A:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. No patches or exploit code are currently available, but the vulnerability is publicly disclosed and should be treated seriously. CWE-79 categorizes this as a classic XSS issue, emphasizing the need for input validation and output encoding. Xinhu RockOA is used primarily in Chinese enterprises and government sectors for workflow and document management, making the vulnerability relevant to organizations relying on this software for internal communications and process automation.

Exploitation of this reflected XSS vulnerability can lead to the compromise of user session tokens, enabling attackers to impersonate legitimate users and access sensitive information or perform unauthorized actions within the application. This undermines the confidentiality and integrity of user data and may facilitate further attacks such as phishing or malware distribution. Although availability is not directly impacted, the breach of trust and potential data leakage can have significant reputational and operational consequences. Organizations using Xinhu RockOA risk exposure of internal workflows and sensitive communications, which could be leveraged for espionage or competitive advantage by threat actors. The requirement for user interaction limits the attack vector to social engineering or phishing campaigns, but the ease of exploitation (no privileges needed, low attack complexity) increases the likelihood of successful attacks once users are tricked into clicking malicious links. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation as the vulnerability is public knowledge.

Organizations should implement strict input validation and output encoding on the 'num' parameter and all user-supplied inputs to prevent injection of malicious scripts. Until an official patch is released by Xinhu RockOA, web application firewalls (WAFs) can be configured to detect and block typical XSS attack patterns targeting the vulnerable endpoint. Security teams should educate users about the risks of clicking unsolicited links and implement phishing awareness training to reduce the likelihood of successful social engineering. Monitoring web server logs for suspicious requests to /flow/flow.php with unusual 'num' parameter values can help detect attempted exploitation. Employing Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting the execution of unauthorized scripts. Regularly updating and patching the application once a fix is available is critical. Additionally, organizations should review and limit the exposure of the Xinhu RockOA application to only trusted networks or VPNs to reduce the attack surface.