CVE-2024-10655 Overview
CVE-2024-10655 is a SQL injection vulnerability affecting Tongda Office Anywhere (Tongda OA) versions 2017 through 11.9. The flaw resides in the /pda/reportshop/new.php endpoint, where the repid parameter is not properly sanitized before being used in a database query. An authenticated remote attacker can manipulate the parameter to inject arbitrary SQL statements. The exploit details have been disclosed publicly, increasing the risk of opportunistic attacks against exposed instances. The vulnerability is tracked as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers with low-privilege access can inject SQL into the repid parameter to read, modify, or exfiltrate database contents from Tongda OA deployments.
Affected Products
- Tongda2000 Office Anywhere 2017
- Tongda2000 Office Anywhere versions through 11.9
- Deployments exposing /pda/reportshop/new.php
Discovery Timeline
- 2024-11-01 - CVE-2024-10655 published to NVD
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10655
Vulnerability Analysis
The vulnerability exists in the PHP script /pda/reportshop/new.php, which is part of the Tongda OA mobile/PDA report module. The script accepts a repid parameter from the request and incorporates it into a SQL statement without adequate validation or parameterization. An attacker who can reach the endpoint over the network can supply crafted input that alters query logic. Successful exploitation can disclose limited database contents, modify records, or affect query availability depending on the underlying database privileges.
The issue is classified under CWE-89. Public details are available in the GitHub Issue Report and the VulDB entry.
Root Cause
The root cause is the direct concatenation of user-supplied input from the repid parameter into a SQL query string. The application fails to enforce input type validation or use prepared statements with bound parameters. Because repid is expected to be a numeric report identifier, the lack of a type cast or whitelist allows SQL metacharacters and clauses to pass through to the database driver.
Attack Vector
The attack is conducted remotely over the network against the HTTP interface exposed by Tongda OA. The attacker authenticates with low-privilege credentials and sends a crafted request to /pda/reportshop/new.php with a malicious repid value. No user interaction is required beyond the attacker's own request. Because the exploit is public, automated scanners and opportunistic attackers may attempt to weaponize it against internet-facing instances.
No verified exploit code is published in this advisory. Refer to the GitHub Issue Report for technical details on the injection point.
Detection Methods for CVE-2024-10655
Indicators of Compromise
- HTTP requests to /pda/reportshop/new.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences (--, #) in the repid parameter.
- Web server logs showing repeated requests to /pda/reportshop/new.php with varying repid values from a single source.
- Database error messages or unusually long response times correlated with requests to the affected endpoint.
Detection Strategies
- Deploy web application firewall (WAF) signatures that inspect the repid parameter for SQL injection payloads.
- Enable verbose access logging on the Tongda OA web server and forward logs to a centralized analytics platform for query pattern analysis.
- Run authenticated vulnerability scans against Tongda OA hosts to identify vulnerable versions of /pda/reportshop/new.php.
Monitoring Recommendations
- Monitor database query logs for anomalous statements originating from the Tongda OA application user, including unexpected UNION queries or schema reads.
- Alert on outbound data transfer spikes from servers hosting Tongda OA that could indicate database exfiltration.
- Track failed and successful authentication events to the Tongda OA portal to correlate with suspicious request activity.
How to Mitigate CVE-2024-10655
Immediate Actions Required
- Restrict network access to Tongda OA instances so only trusted internal networks or VPN clients can reach /pda/reportshop/new.php.
- Apply WAF rules that block requests where the repid parameter contains non-numeric characters.
- Audit recent web server and database logs for evidence of exploitation attempts against the affected endpoint.
- Rotate database credentials used by the Tongda OA application if exploitation is suspected.
Patch Information
At the time of publication, no vendor advisory or official patch has been linked in the NVD record for CVE-2024-10655. Administrators should monitor the Tongda OA vendor channels and the VulDB entry for updated remediation guidance. Until a fix is released, apply the workarounds below.
Workarounds
- Block or restrict access to /pda/reportshop/new.php at the reverse proxy or WAF layer if the PDA report module is not in use.
- Enforce input validation at the proxy layer to reject repid values that are not strictly numeric.
- Operate the Tongda OA database service under a least-privilege account to limit the impact of a successful injection.
- Remove or disable unused modules of Tongda OA to reduce the attack surface exposed to authenticated users.
# Example NGINX rule to restrict repid to numeric values
location = /pda/reportshop/new.php {
if ($arg_repid !~ "^[0-9]+$") {
return 403;
}
proxy_pass http://tongda_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
