SQL Injection in Xinhu OA System v1.8.3 allows remote attackers to obtain sensitive information by injecting arbitrary commands into the «typeid» variable of the «createfolderAjax» function in the «mode_worcAction.php» component.
