Tongda OA 2017 delete.php sql injection
CVE-2023-6611

7.5HIGH

Key Information:

Vendor
Tongda
Status
OA 2017
Vendor
CVE Published:
8 December 2023

Summary

A SQL injection vulnerability has been identified in Tongda OA 2017, specifically within the email deletion functionality located at pda/pad/email/delete.php. By manipulating the EMAIL_ID parameter, an attacker could execute unauthorized SQL commands, potentially compromising the integrity of the database. The issue was publicly disclosed, highlighting the urgency for users to upgrade to version 11.10 to mitigate potential exploitation. It is crucial for administrators to implement the recommended updates to ensure their systems remain secure against this vulnerability. The vendor, Tongda Technology, did not provide feedback after being contacted regarding this issue.

Affected Version(s)

OA 2017 11.0

OA 2017 11.1

OA 2017 11.2

References

https://vuldb.com/?id.247246
vdb-entrytechnical-description
https://vuldb.com/?ctiid.247246
signaturepermissions-required
https://github.com/13223355/cve/blob/main/sql.md
exploit

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

sasav587 (VulDB User)
.
CVE-2023-6611 : Tongda OA 2017 delete.php sql injection | SecurityVulnerability.io