CVE-2024-10615 Overview
CVE-2024-10615 is a SQL injection vulnerability in Tongda2000 Office Anywhere (Tongda OA) versions 2017 through 11.10. The flaw resides in the /general/approve_center/query/list/input_form/delete_data_attach.php script, where the RUN_ID parameter is passed directly into a database query without proper sanitization [CWE-89]. A remote attacker with low-privileged access can manipulate the parameter to execute arbitrary SQL statements against the backend database. The exploit has been publicly disclosed, increasing the risk of opportunistic abuse against exposed deployments.
Critical Impact
Authenticated remote attackers can inject SQL into the RUN_ID parameter of delete_data_attach.php, enabling unauthorized read, modification, or deletion of database records in Tongda OA deployments.
Affected Products
- Tongda2000 Office Anywhere 2017
- Tongda2000 Office Anywhere versions up to and including 11.10
- Component: /general/approve_center/query/list/input_form/delete_data_attach.php
Discovery Timeline
- 2024-11-01 - CVE-2024-10615 published to the National Vulnerability Database (NVD)
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10615
Vulnerability Analysis
The vulnerability is a classic SQL injection issue in a PHP endpoint that handles attachment deletion within the approval center workflow. The delete_data_attach.php script reads the RUN_ID HTTP parameter and concatenates the value into a SQL statement that targets the underlying database. Because the parameter is not validated, escaped, or bound as a prepared statement, an attacker can append additional SQL syntax to alter query semantics.
Exploitation requires network access to the application and low-level privileges, consistent with an authenticated user role in the OA system. Successful exploitation can disclose sensitive workflow data, modify approval records, or corrupt attachment metadata stored in the database.
Tongda OA is widely deployed across Chinese enterprises for office automation, making any exposed instance an attractive target for credential abuse and lateral movement. The public disclosure on VulDB and GitHub increases the likelihood of automated scanning against internet-facing deployments.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command [CWE-89]. The PHP handler trusts the user-supplied RUN_ID value and does not apply parameterized queries or input filtering before passing it to the database layer.
Attack Vector
An attacker sends a crafted HTTP request to /general/approve_center/query/list/input_form/delete_data_attach.php with a malicious RUN_ID value containing SQL metacharacters. The injected payload modifies the resulting query, allowing data extraction through boolean-based, error-based, or time-based techniques. The attack does not require user interaction beyond the attacker authenticating to the OA application.
No verified proof-of-concept code is available. Refer to the GitHub Issue Discussion and VulDB #282626 for technical references.
Detection Methods for CVE-2024-10615
Indicators of Compromise
- HTTP requests to /general/approve_center/query/list/input_form/delete_data_attach.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or -- in the RUN_ID parameter
- Unusually long or URL-encoded RUN_ID values in web server access logs
- Database error messages or anomalous query latency originating from the approval center module
Detection Strategies
- Inspect web server and reverse proxy logs for requests targeting delete_data_attach.php with non-numeric RUN_ID values
- Deploy web application firewall (WAF) signatures that flag SQL injection patterns against Tongda OA endpoints
- Correlate authenticated user sessions with anomalous database query volumes against tables used by the approval workflow
Monitoring Recommendations
- Enable verbose access logging on the Tongda OA web tier and forward to a centralized logging platform for retention and analysis
- Monitor database accounts used by the OA application for unexpected SELECT queries against authentication or HR tables
- Alert on outbound connections from the OA server that deviate from baseline traffic, which may indicate data exfiltration following exploitation
How to Mitigate CVE-2024-10615
Immediate Actions Required
- Restrict network exposure of the Tongda OA application to trusted internal networks or VPN-only access
- Audit user accounts in the OA system and disable inactive or shared credentials that could be abused for authenticated exploitation
- Review web and database logs since the publication date for evidence of prior exploitation attempts against delete_data_attach.php
Patch Information
No vendor advisory or patch reference is listed in the NVD entry at the time of writing. Administrators should monitor the Tongda official channels and the VulDB CTI ID #282626 entry for updates. Until an official fix is available, apply the workarounds below.
Workarounds
- Block or rate-limit requests to /general/approve_center/query/list/input_form/delete_data_attach.php at the WAF or reverse proxy when the RUN_ID parameter is not strictly numeric
- Apply database-layer least privilege so the OA application account cannot read sensitive tables or execute administrative statements
- Place the OA application behind an authenticating reverse proxy to reduce the attack surface available to unauthenticated scanners
# Example nginx rule to enforce numeric RUN_ID on the vulnerable endpoint
location = /general/approve_center/query/list/input_form/delete_data_attach.php {
if ($arg_RUN_ID !~ '^[0-9]+$') {
return 403;
}
proxy_pass http://tongda_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
