Tongda OA 2017 delete.php sql injection
CVE-2023-6607

7.5HIGH

Key Information:

Vendor
Tongda
Status
OA 2017
Vendor
CVE Published:
8 December 2023

Summary

A security vulnerability has been identified in Tongda OA 2017, specifically affecting versions up to 11.10. This issue resides in the file general/wiki/cp/manage/delete.php, where manipulation of the TERM_ID_STR parameter can lead to SQL injection. The exploit for this vulnerability has been publicly disclosed, making it critical for users to implement security measures to prevent potential data breaches. Despite attempts to notify the vendor, there has been no response. Organizations utilizing Tongda OA should assess their exposure and apply necessary precautions.

Affected Version(s)

OA 2017 11.0

OA 2017 11.1

OA 2017 11.2

References

https://vuldb.com/?id.247243
vdb-entrytechnical-description
https://vuldb.com/?ctiid.247243
signaturepermissions-required
https://github.com/willchen0011/cve/blob/main/sql.md
exploit

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

willchen (VulDB User)
.
CVE-2023-6607 : Tongda OA 2017 delete.php sql injection | SecurityVulnerability.io