CVE-2024-10658

Tongda OA check_seal.php sql injection

CVSS 5.3 MEDIUMEPSS 0.7%CWE-89

In short

Tongda OA contains a SQL injection flaw in the check_seal.php file that allows attackers to manipulate the ID parameter and inject malicious database commands. An attacker can exploit this remotely to read, modify, or delete sensitive data stored in the application's database.

Technical detail

SQL injection vulnerability in /pda/approve_center/check_seal.php where the ID parameter is not properly sanitized before being used in database queries. Remote unauthenticated attackers can inject arbitrary SQL commands to access, modify, or exfiltrate sensitive information from the backend database.

Summary generated and translated by AI from the official description.

A vulnerability classified as critical was found in Tongda OA up to 11.10. Affected by this vulnerability is an unknown functionality of the file /pda/approve_center/check_seal.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected products

Tongda · OA

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/LvZCh/td/issues/14 https://vuldb.com/?ctiid.282673 https://vuldb.com/?id.282673 https://vuldb.com/?submit.433529