Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by roncoo
CVE-2025-10992 (GCVE-0-2025-10992)
Vulnerability from cvelistv5 – Published: 2025-09-26 01:32 – Updated: 2025-09-26 15:17
VLAI
Title
roncoo roncoo-pay lookupList improper authorization
Summary
A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.325919 | vdb-entry |
| https://vuldb.com/?ctiid.325919 | signaturepermissions-required |
| https://vuldb.com/?submit.653738 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19063472 | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| roncoo | roncoo-pay |
Affected:
9428382af21cd5568319eae7429b7e1d0332ff40
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T15:17:02.596134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T15:17:10.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "roncoo-pay",
"vendor": "roncoo",
"versions": [
{
"status": "affected",
"version": "9428382af21cd5568319eae7429b7e1d0332ff40"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot888 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. Affected is an unknown function of the file /user/info/lookupList. Executing manipulation can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40 ist eine Schwachstelle entdeckt worden. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei /user/info/lookupList. Die Bearbeitung verursacht improper authorization. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. F\u00fcr dieses Produkt wird ein Rolling-Release-Ansatz verwendet, wodurch eine st\u00e4ndige Bereitstellung erfolgt. Daher sind keine Versionsdetails zu betroffenen oder aktualisierten Versionen vorhanden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T01:32:07.831Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-325919 | roncoo roncoo-pay lookupList improper authorization",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.325919"
},
{
"name": "VDB-325919 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.325919"
},
{
"name": "Submit #653738 | roncoo roncoo-pay latest broken function level authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.653738"
},
{
"tags": [
"exploit"
],
"url": "https://www.cnblogs.com/aibot/p/19063472"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-25T19:57:13.000Z",
"value": "VulDB entry last update"
}
],
"title": "roncoo roncoo-pay lookupList improper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-10992",
"datePublished": "2025-09-26T01:32:07.831Z",
"dateReserved": "2025-09-25T17:51:39.545Z",
"dateUpdated": "2025-09-26T15:17:10.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10288 (GCVE-0-2025-10288)
Vulnerability from cvelistv5 – Published: 2025-09-12 05:02 – Updated: 2025-09-12 13:04
VLAI
Title
roncoo roncoo-pay list improper authentication
Summary
A vulnerability was found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The impacted element is an unknown function of the file /user/info/list. Performing manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.323650 | vdb-entry |
| https://vuldb.com/?ctiid.323650 | signaturepermissions-required |
| https://vuldb.com/?submit.643837 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19063475 | broken-linkexploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| roncoo | roncoo-pay |
Affected:
9428382af21cd5568319eae7429b7e1d0332ff40
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10288",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-12T13:04:20.114569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T13:04:22.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/?submit.643837"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "roncoo-pay",
"vendor": "roncoo",
"versions": [
{
"status": "affected",
"version": "9428382af21cd5568319eae7429b7e1d0332ff40"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot88 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The impacted element is an unknown function of the file /user/info/list. Performing manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "In roncoo roncoo-pay bis 9428382af21cd5568319eae7429b7e1d0332ff40 wurde eine Schwachstelle gefunden. Es geht um eine nicht n\u00e4her bekannte Funktion der Datei /user/info/list. Die Ver\u00e4nderung resultiert in improper authentication. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Das Produkt nutzt ein Rolling Release f\u00fcr die kontinuierliche Auslieferung. Deshalb gibt es keine Versionsangaben zu betroffenen oder aktualisierten Releases."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T05:02:07.934Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-323650 | roncoo roncoo-pay list improper authentication",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.323650"
},
{
"name": "VDB-323650 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.323650"
},
{
"name": "Submit #643837 | roncoo roncoo-pay latest broken function level authorisation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.643837"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://www.cnblogs.com/aibot/p/19063475"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-11T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-11T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-11T19:27:28.000Z",
"value": "VulDB entry last update"
}
],
"title": "roncoo roncoo-pay list improper authentication"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-10288",
"datePublished": "2025-09-12T05:02:07.934Z",
"dateReserved": "2025-09-11T17:22:20.173Z",
"dateUpdated": "2025-09-12T13:04:22.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10287 (GCVE-0-2025-10287)
Vulnerability from cvelistv5 – Published: 2025-09-12 04:32 – Updated: 2025-09-12 17:15
VLAI
Title
roncoo roncoo-pay orderQuery direct request
Summary
A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-425 - Direct Request
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.323649 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.323649 | signaturepermissions-required |
| https://vuldb.com/?submit.643387 | third-party-advisory |
| https://www.cnblogs.com/aibot/p/19063496 | broken-linkexploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| roncoo | roncoo-pay |
Affected:
9428382af21cd5568319eae7429b7e1d0332ff40
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10287",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-12T17:15:00.589614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T17:15:11.614Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "roncoo-pay",
"vendor": "roncoo",
"versions": [
{
"status": "affected",
"version": "9428382af21cd5568319eae7429b7e1d0332ff40"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "aibot888 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexity level is associated with this attack. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in roncoo roncoo-pay bis 9428382af21cd5568319eae7429b7e1d0332ff40 entdeckt. Betroffen hiervon ist ein unbekannter Ablauf der Datei /auth/orderQuery. Die Manipulation des Arguments orderNo f\u00fchrt zu direct request. Der Angriff kann remote ausgef\u00fchrt werden. Das Durchf\u00fchren eines Angriffs ist mit einer relativ hohen Komplexit\u00e4t verbunden. Das Ausnutzen gilt als schwierig. Die Ausnutzung wurde ver\u00f6ffentlicht und kann verwendet werden. Bei diesem Produkt handelt es sich um ein Rolling Release, das eine fortlaufende Bereitstellung erm\u00f6glicht. Aus diesem Grund stehen keine Versionsinformationen zu betroffenen oder aktualisierten Versionen zur Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.1,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-425",
"description": "Direct Request",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T04:32:07.144Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-323649 | roncoo roncoo-pay orderQuery direct request",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.323649"
},
{
"name": "VDB-323649 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.323649"
},
{
"name": "Submit #643387 | roncoo roncoo-pay latest broken function level authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.643387"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://www.cnblogs.com/aibot/p/19063496"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-11T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-09-11T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-11T19:27:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "roncoo roncoo-pay orderQuery direct request"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-10287",
"datePublished": "2025-09-12T04:32:07.144Z",
"dateReserved": "2025-09-11T17:22:13.367Z",
"dateUpdated": "2025-09-12T17:15:11.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29632 (GCVE-0-2022-29632)
Vulnerability from cvelistv5 – Published: 2022-05-26 19:55 – Updated: 2024-08-03 06:26
VLAI
Summary
An arbitrary file upload vulnerability in the component /course/api/upload/pic of Roncoo Education v9.0.0 allows attackers to execute arbitrary code via a crafted file.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/roncoo/roncoo-education/issues/16 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:06.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roncoo/roncoo-education/issues/16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file upload vulnerability in the component /course/api/upload/pic of Roncoo Education v9.0.0 allows attackers to execute arbitrary code via a crafted file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-26T19:55:46.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roncoo/roncoo-education/issues/16"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-29632",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An arbitrary file upload vulnerability in the component /course/api/upload/pic of Roncoo Education v9.0.0 allows attackers to execute arbitrary code via a crafted file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roncoo/roncoo-education/issues/16",
"refsource": "MISC",
"url": "https://github.com/roncoo/roncoo-education/issues/16"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-29632",
"datePublished": "2022-05-26T19:55:46.000Z",
"dateReserved": "2022-04-25T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:26:06.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}