Tongda OA 2017 delete.php sql injection
CVE-2023-6608

7.5HIGH

Key Information:

Vendor
Tongda
Status
OA 2017
Vendor
CVE Published:
8 December 2023

Summary

A vulnerability exists in Tongda OA 2017 that allows an attacker to exploit the file general/notify/manage/delete.php. By manipulating the argument DELETE_STR, the attacker can perform SQL injection attacks, potentially leading to unauthorized data access or modification. Although the vendor was notified of this issue, they have not provided a response. Users are strongly advised to upgrade to version 11.10 or later to mitigate this security risk.

Affected Version(s)

OA 2017 11.0

OA 2017 11.1

OA 2017 11.2

References

https://vuldb.com/?id.247244
vdb-entrytechnical-description
https://vuldb.com/?ctiid.247244
signaturepermissions-required
https://github.com/willchen0011/cve/blob/main/sql2.md
exploit

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

willchen (VulDB User)
.
CVE-2023-6608 : Tongda OA 2017 delete.php sql injection | SecurityVulnerability.io