CVE-2024-10602 Overview
CVE-2024-10602 is a SQL injection vulnerability in Tongda2000 Office Anywhere (Tongda OA) versions 2017 through 11.9. The flaw resides in the /general/approve_center/list/input_form/data_picker_link.php script. Attackers can manipulate the dataSrc parameter to inject arbitrary SQL statements against the backend database. The vulnerability is remotely exploitable over the network and requires only low-privileged authentication. Public disclosure of the exploit details has occurred, increasing the risk of opportunistic exploitation against exposed instances. The issue is classified under CWE-89 — Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Remote attackers with low-privileged access can execute arbitrary SQL queries, leading to disclosure or modification of database contents.
Affected Products
- Tongda2000 Office Anywhere 2017
- Tongda2000 Office Anywhere versions up to and including 11.9
- Deployments exposing data_picker_link.php to network-reachable users
Discovery Timeline
- 2024-11-01 - CVE-2024-10602 published to NVD
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10602
Vulnerability Analysis
The vulnerability exists in the data_picker_link.php component of the Tongda OA approval center module. The dataSrc request parameter is concatenated into a SQL statement without proper sanitization or parameterization. An authenticated attacker can supply crafted input to alter query semantics. Successful exploitation allows reading sensitive data, modifying records, or pivoting deeper into the application. Because Tongda OA serves as an enterprise office automation platform, the impacted database typically contains user credentials, internal documents, approval workflows, and personnel data. The exploit details have been publicly disclosed, lowering the technical barrier for attackers to weaponize the issue against unpatched instances.
Root Cause
The root cause is improper neutralization of user-supplied input in the dataSrc parameter. The PHP code passes the value directly into a SQL query string rather than using prepared statements or strict input validation. This violates standard defense practices for database query construction and triggers the [CWE-89] weakness pattern.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. An attacker sends an HTTP request to /general/approve_center/list/input_form/data_picker_link.php containing a tampered dataSrc parameter. Boolean-based, error-based, or time-based blind SQL injection payloads can be used to enumerate the database. Refer to the GitHub Issue Discussion and VulDB #282614 for additional technical context.
Detection Methods for CVE-2024-10602
Indicators of Compromise
- HTTP requests to /general/approve_center/list/input_form/data_picker_link.php containing SQL metacharacters such as ', --, UNION, SLEEP, or INFORMATION_SCHEMA in the dataSrc parameter.
- Unusually long or URL-encoded values supplied to the dataSrc parameter.
- Database error messages logged by the application server following requests to the affected endpoint.
- Outbound database queries originating from the OA web tier targeting sensitive tables such as user, password, or session stores.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the dataSrc parameter for SQL injection signatures.
- Enable verbose query logging on the backend MySQL/MariaDB server and alert on anomalous query patterns originating from the OA application user.
- Correlate authentication events with subsequent requests to the affected PHP endpoint to identify suspicious low-privileged accounts.
Monitoring Recommendations
- Forward web server access logs and database audit logs to a centralized SIEM for query and parameter analysis.
- Baseline normal traffic to the approve_center module and alert on deviations in request frequency or payload size.
- Monitor for new or unusual administrative database accounts created after suspicious requests to the endpoint.
How to Mitigate CVE-2024-10602
Immediate Actions Required
- Restrict network access to the Tongda OA web interface using firewall rules or VPN-only access until a vendor patch is applied.
- Audit application accounts and disable or rotate credentials for low-privileged users that no longer require access.
- Inspect web and database logs for prior exploitation attempts against data_picker_link.php.
- Apply WAF signatures that block SQL injection patterns targeting the dataSrc parameter.
Patch Information
No vendor advisory or official patch has been published in the referenced sources at the time of NVD publication. Monitor the Tongda2000 vendor channels and the VulDB CTI ID #282614 entry for patch availability. Until an official fix is released, treat all instances as vulnerable and apply compensating controls.
Workarounds
- Block external access to /general/approve_center/list/input_form/data_picker_link.php at the reverse proxy or WAF layer if the function is not required.
- Enforce strict input validation on the dataSrc parameter by allowlisting expected values at the proxy layer.
- Apply the principle of least privilege to the database account used by the OA application to limit the blast radius of injection.
- Enable database query logging and configure alerts for queries that reference system catalogs or sensitive tables.
# Example NGINX block rule to restrict the vulnerable endpoint
location ~* /general/approve_center/list/input_form/data_picker_link\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
