CVE-2024-10616 Overview
CVE-2024-10616 is a SQL injection vulnerability affecting Tongda Office Anywhere (Tongda OA) versions up to 11.9. The flaw resides in the /pda/workflow/webSignSubmit.php endpoint, where the saleId parameter is passed into a database query without proper sanitization. An authenticated remote attacker can manipulate this parameter to inject arbitrary SQL statements. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Public exploit details have been disclosed, increasing the likelihood of opportunistic exploitation against exposed Tongda OA deployments.
Critical Impact
Remote attackers with low-privilege access can read, modify, or delete database contents through crafted requests to the webSignSubmit.php endpoint.
Affected Products
- Tongda2000 Office Anywhere (Tongda OA) versions up to and including 11.9
- Component: /pda/workflow/webSignSubmit.php
- Vulnerable parameter: saleId
Discovery Timeline
- 2024-11-01 - CVE-2024-10616 published to NVD
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10616
Vulnerability Analysis
The vulnerability exists in the workflow handler /pda/workflow/webSignSubmit.php, part of the Tongda OA mobile workflow module. The script accepts the saleId parameter from incoming HTTP requests and incorporates the value into a SQL query without parameterized binding or input validation. This allows attackers to break out of the intended query context and append arbitrary SQL clauses.
Exploitation requires network access to the application and a low-privilege account, as indicated by the PR:L component of the CVSS 4.0 vector. No user interaction is required, and the attack complexity is low. Successful exploitation impacts confidentiality, integrity, and availability of the backend database. The EPSS probability is approximately 0.114%, placing it in the 29th percentile for likelihood of exploitation activity.
Root Cause
The root cause is the direct concatenation of user-supplied input into a SQL statement within webSignSubmit.php. The application does not enforce prepared statements, type casting, or allow-list validation on the saleId argument. This pattern is a classic instance of [CWE-89] and is common in legacy PHP applications that build queries through string interpolation.
Attack Vector
An authenticated attacker sends a crafted HTTP request to /pda/workflow/webSignSubmit.php with a malicious saleId value. The payload can use standard SQL injection techniques such as boolean-based blind injection, time-based blind injection, or UNION-based extraction to enumerate database contents. Because the endpoint is reachable over the network, attackers can target internet-facing Tongda OA instances directly. Refer to the GitHub Issue Discussion and VulDB Entry #282627 for additional technical context.
Detection Methods for CVE-2024-10616
Indicators of Compromise
- HTTP POST or GET requests to /pda/workflow/webSignSubmit.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or -- in the saleId parameter.
- Web server access logs showing repeated requests to webSignSubmit.php from a single source with varying saleId values, indicating automated probing.
- Database error messages or unusually long response times correlated with requests to the affected endpoint.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the saleId parameter for SQL injection signatures on the /pda/workflow/webSignSubmit.php path.
- Enable database query logging and alert on anomalous queries originating from the Tongda OA application service account.
- Correlate authentication events with subsequent requests to the vulnerable endpoint to identify low-privilege accounts performing injection attempts.
Monitoring Recommendations
- Forward Tongda OA web server logs and database audit logs to a centralized SIEM for retention and analysis.
- Monitor outbound connections from the Tongda OA host for signs of data exfiltration following suspicious database queries.
- Track failed login attempts followed by access to /pda/workflow/ endpoints to detect credential stuffing combined with exploitation.
How to Mitigate CVE-2024-10616
Immediate Actions Required
- Restrict network exposure of Tongda OA to trusted networks or via VPN until a vendor patch is applied.
- Audit application accounts and enforce the principle of least privilege on the database user backing Tongda OA.
- Review web server and database logs for prior exploitation attempts targeting webSignSubmit.php.
Patch Information
At the time of publication, no official vendor patch URL is listed in the NVD record for Tongda Office Anywhere 11.9. Administrators should monitor the Tongda2000 official channels and the VulDB CTI entry for updates. Upgrading to a version newer than 11.9, once released, is the recommended long-term remediation.
Workarounds
- Apply a WAF rule that blocks requests to /pda/workflow/webSignSubmit.php containing SQL metacharacters in the saleId parameter.
- If the workflow signing functionality is not required, restrict access to the /pda/workflow/ path at the reverse proxy or web server layer.
- Limit the database privileges of the Tongda OA service account to the minimum required tables and operations, preventing escalation through injection.
# Example nginx rule to block SQLi patterns on the affected endpoint
location /pda/workflow/webSignSubmit.php {
if ($args ~* "(union.*select|sleep\(|--|';|\bor\b.*=)") {
return 403;
}
proxy_pass http://tongda_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
