CVE-2024-10600

Tongda OA 2017 submenu.php sql injection

CVSS 6.9 MEDIUMEPSS 6.3%CWE-89

In short

Tongda OA 2017 allows attackers to inject malicious SQL commands through the appid parameter in a web file, potentially letting them access or modify sensitive database information without proper authorization.

Technical detail

SQL injection vulnerability in pda/appcenter/submenu.php via unsanitized appid parameter (CWE-89). Remote unauthenticated attack vector; no special preconditions required. Successful exploitation enables unauthorized database access, data exfiltration, or manipulation.

Summary generated and translated by AI from the official description.

A vulnerability, which was classified as critical, was found in Tongda OA 2017 up to 11.6. Affected is an unknown function of the file pda/appcenter/submenu.php. The manipulation of the argument appid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected products

Tongda · OA 2017

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/LvZCh/td/issues/3 https://vuldb.com/?ctiid.282612 https://vuldb.com/?id.282612 https://vuldb.com/?submit.433497