CVE-2023-4165

Tongda OA delete_seal.php sql injection

CVSS 5.5 MEDIUMEPSS 10.8%CWE-89

En resumen

Una falla en el archivo delete_seal.php de Tongda OA permite que atacantes inyecten comandos SQL maliciosos a través del parámetro DELETE_STR, pudiendo acceder o modificar información sensible de la base de datos sin autorización apropiada.

Detalle técnico

Vulnerabilidad de inyección SQL en delete_seal.php (general/system/seal_manage/iweboffice/) mediante parámetro DELETE_STR sin sanitizar; permite a atacantes ejecutar consultas SQL arbitrarias; impacta confidencialidad e integridad de la base de datos. Solucionado en versión 11.10.

Resumen generado y traducido por IA a partir de la descripción oficial.

A vulnerability, which was classified as critical, was found in Tongda OA. This affects an unknown part of the file general/system/seal_manage/iweboffice/delete_seal.php. The manipulation of the argument DELETE_STR leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-236181 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Productos afectados

Tongda · OA

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/nagenanhai/cve/blob/main/sql.md https://vuldb.com/?ctiid.236181 https://vuldb.com/?id.236181