CVE-2024-10618 Overview
CVE-2024-10618 is a SQL injection vulnerability in Tongda2000 Office Anywhere (Tongda OA) versions 2017 through 11.10. The flaw resides in the /pda/reportshop/record_detail.php endpoint and is triggered through the repid parameter. Attackers can manipulate this parameter to inject arbitrary SQL statements into the underlying database query. The issue is remotely exploitable over the network and requires low privileges to trigger. The exploit details have been publicly disclosed, increasing the risk of opportunistic abuse against exposed Tongda OA deployments. The vulnerability is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated remote attackers can inject SQL through the repid parameter in record_detail.php, exposing database contents and integrity to manipulation.
Affected Products
- Tongda2000 Office Anywhere 2017
- Tongda2000 Office Anywhere versions through 11.10
- Tongda OA installations exposing /pda/reportshop/record_detail.php
Discovery Timeline
- 2024-11-01 - CVE-2024-10618 published to the National Vulnerability Database
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10618
Vulnerability Analysis
The vulnerability exists in the PDA reporting module of Tongda OA. The script /pda/reportshop/record_detail.php accepts a repid request parameter and passes it into a SQL query without proper sanitization or parameterization. An attacker who can reach the application over the network can append SQL syntax to repid to alter the query's logic. Successful exploitation allows reading arbitrary tables, modifying records, and enumerating database structure. Because Tongda OA stores user credentials, document metadata, and workflow data in its database, the impact extends to confidentiality and integrity of organizational records.
Root Cause
The root cause is improper neutralization of special elements in a SQL query [CWE-89]. The repid argument flows directly into a SQL statement constructed by the record_detail.php script without prepared statements or input validation. Any non-numeric or quoted payload terminates the intended query context and introduces attacker-controlled SQL fragments.
Attack Vector
The attack vector is network-based and requires low privileges. An attacker sends a crafted HTTP request to the vulnerable endpoint with a malicious repid value. The request can be issued through any HTTP client that can authenticate to the OA portal. Public disclosure of the exploit method lowers the skill threshold for attackers to weaponize this issue against exposed instances.
No verified proof-of-concept code has been released to a trusted repository. Technical details are referenced in the GitHub issue tracker entry and the VulDB entry #282629.
Detection Methods for CVE-2024-10618
Indicators of Compromise
- HTTP requests to /pda/reportshop/record_detail.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences (--, #) in the repid parameter.
- Anomalous database error messages or unusually long query execution times originating from the Tongda OA application user.
- Repeated access to the record_detail.php endpoint from a single source over a short interval, indicating automated probing.
Detection Strategies
- Inspect web server and application logs for requests where repid is not strictly numeric, since the parameter is expected to be an integer report identifier.
- Deploy web application firewall signatures that flag SQL injection patterns targeting /pda/reportshop/record_detail.php.
- Monitor the database for queries against report tables that include UNION operators or boolean tautologies sourced from the Tongda OA service account.
Monitoring Recommendations
- Forward Tongda OA access logs, PHP error logs, and database query logs to a centralized analytics platform for correlation.
- Alert on outbound traffic spikes from the OA server that may indicate database exfiltration following injection.
- Track authentication events to identify low-privileged accounts performing reconnaissance against reporting endpoints.
How to Mitigate CVE-2024-10618
Immediate Actions Required
- Restrict network exposure of the Tongda OA application to trusted internal networks or VPN-authenticated users.
- Block or filter requests to /pda/reportshop/record_detail.php where the repid parameter is not a positive integer.
- Audit existing user accounts and rotate credentials for any account that may have been compromised through database access.
Patch Information
No official vendor patch has been published in the referenced advisories at the time of NVD publication. Administrators should monitor Tongda's official channels and the VulDB record for updated remediation guidance. Until a vendor fix is available, compensating controls are required.
Workarounds
- Deploy a web application firewall rule that enforces integer-only values for the repid query parameter on the vulnerable endpoint.
- Apply database least-privilege principles so the OA service account cannot read sensitive tables or execute administrative SQL.
- Disable or remove the /pda/reportshop/record_detail.php script if the PDA reporting feature is not used in production.
# Example WAF rule (ModSecurity) restricting repid to integers
SecRule REQUEST_URI "@beginsWith /pda/reportshop/record_detail.php" \
"chain,deny,status:403,id:1009618,msg:'CVE-2024-10618 SQLi block'"
SecRule ARGS:repid "!@rx ^[0-9]+$" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
