CVE-2024-10657

A vulnerability classified as critical has been found in Tongda OA up to 11.10. Affected is an unknown function of the file /pda/approve_center/prcs_info.php. The manipulation of the argument RUN_ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
References
Link Resource
https://github.com/LvZCh/td/issues/13 Exploit Third Party Advisory
https://vuldb.com/?ctiid.282672 Permissions Required VDB Entry
https://vuldb.com/?id.282672 Third Party Advisory VDB Entry
https://vuldb.com/?submit.433528 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:tongda2000:office_anywhere:*:*:*:*:*:*:*:*

History

04 Nov 2024, 19:47

Type Values Removed Values Added
References () https://github.com/LvZCh/td/issues/13 - () https://github.com/LvZCh/td/issues/13 - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.282672 - () https://vuldb.com/?ctiid.282672 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.282672 - () https://vuldb.com/?id.282672 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.433528 - () https://vuldb.com/?submit.433528 - Third Party Advisory, VDB Entry
First Time Tongda2000
Tongda2000 office Anywhere
CPE cpe:2.3:a:tongda2000:office_anywhere:*:*:*:*:*:*:*:*
CVSS v2 : 6.5
v3 : 6.3
v2 : 6.5
v3 : 9.8
Summary
  • (es) Se ha encontrado una vulnerabilidad clasificada como crítica en Tongda OA hasta la versión 11.10. Se ve afectada una función desconocida del archivo /pda/approve_center/prcs_info.php. La manipulación del argumento RUN_ID provoca una inyección SQL. Es posible lanzar el ataque de forma remota. El exploit se ha hecho público y puede utilizarse.

01 Nov 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-01 15:15

Updated : 2024-11-04 19:47


NVD link : CVE-2024-10657

Mitre link : CVE-2024-10657

CVE.ORG link : CVE-2024-10657


JSON object : View

Products Affected

tongda2000

  • office_anywhere
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')