CVE-2024-10657 Overview
CVE-2024-10657 is a SQL injection vulnerability in Tongda Office Anywhere (Tongda OA) versions up to 11.10. The flaw resides in the /pda/approve_center/prcs_info.php endpoint, where the RUN_ID parameter is passed to a backend database query without proper sanitization [CWE-89]. Remote attackers with low-level privileges can manipulate the parameter to inject arbitrary SQL statements. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed deployments.
Critical Impact
Authenticated attackers can extract, modify, or delete data from the Tongda OA database by injecting SQL through the RUN_ID parameter over the network.
Affected Products
- Tongda2000 Office Anywhere versions up to and including 11.10
- The vulnerable component is /pda/approve_center/prcs_info.php
- Deployments exposing the PDA approval center endpoint to untrusted networks
Discovery Timeline
- 2024-11-01 - CVE-2024-10657 published to the National Vulnerability Database
- 2024-11-04 - Last updated in the NVD database
Technical Details for CVE-2024-10657
Vulnerability Analysis
The vulnerability is a classic SQL injection flaw [CWE-89] in the Tongda OA PDA approval center module. The script prcs_info.php accepts the RUN_ID HTTP parameter and incorporates its value directly into a SQL query. Because the application does not apply parameterized queries or input sanitization, an attacker can break out of the intended query context. Submitting crafted payloads in RUN_ID allows execution of additional SQL statements within the database session.
Successful exploitation can lead to unauthorized disclosure of approval records, user credentials, and other tenant data stored in the OA database. Depending on the database account privileges, an attacker may also tamper with workflow records or pivot toward writing files to the host.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command. The RUN_ID argument is concatenated into a query string rather than bound as a typed parameter. The endpoint also lacks server-side type validation that would restrict RUN_ID to numeric values expected by the workflow logic.
Attack Vector
The attack vector is network-based and requires only low privileges to reach the vulnerable endpoint. An attacker sends an HTTP request to /pda/approve_center/prcs_info.php with a manipulated RUN_ID parameter containing SQL syntax. The injected payload executes within the application's database context and returns results or side effects observable to the attacker.
The vulnerability mechanism is described in the public GitHub Issue Discussion and the VulDB #282672 report. No verified proof-of-concept code is reproduced here.
Detection Methods for CVE-2024-10657
Indicators of Compromise
- HTTP requests to /pda/approve_center/prcs_info.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or comment sequences (--, #) in the RUN_ID parameter
- Unusually long RUN_ID values or non-numeric content in a parameter typically holding an integer workflow identifier
- Database error messages or stack traces returned in HTTP responses from the approval center module
Detection Strategies
- Inspect web server and application logs for RUN_ID parameter values that deviate from the expected integer format
- Deploy web application firewall signatures targeting SQL injection patterns against the /pda/approve_center/ path
- Correlate anomalous database query volume or duration with requests reaching prcs_info.php
Monitoring Recommendations
- Enable verbose access logging on the Tongda OA front-end web server and forward logs to a central analytics platform
- Alert on authenticated sessions issuing requests with SQL keywords in query parameters
- Monitor outbound database connections and large result sets originating from the OA application service account
How to Mitigate CVE-2024-10657
Immediate Actions Required
- Restrict network access to the Tongda OA PDA endpoints to trusted internal users and VPN clients only
- Audit web server logs since at least 2024-11-01 for suspicious RUN_ID values targeting prcs_info.php
- Rotate database and application credentials if injection attempts or anomalous queries are observed
Patch Information
No vendor advisory or fixed version has been published in the references associated with CVE-2024-10657. Operators should contact Tongda2000 directly for an updated build and monitor the VulDB CTI Report #282672 for further updates.
Workarounds
- Place the Tongda OA application behind a web application firewall with SQL injection rules enabled for the /pda/approve_center/ path
- Enforce strict server-side type validation that rejects non-numeric RUN_ID values at the reverse proxy or WAF layer
- Limit the database account used by the OA application to least-privilege permissions, removing rights to read sensitive tables or execute file operations
# Example ModSecurity rule to block non-numeric RUN_ID values
SecRule REQUEST_URI "@beginsWith /pda/approve_center/prcs_info.php" \
"chain,phase:2,deny,status:400,id:1010657,msg:'CVE-2024-10657 RUN_ID validation'"
SecRule ARGS:RUN_ID "!@rx ^[0-9]+$" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
