CVE-2024-10658 Overview
CVE-2024-10658 is a SQL injection vulnerability in Tongda Office Anywhere (Tongda OA) versions up to 11.10. The flaw resides in the /pda/approve_center/check_seal.php endpoint, where the ID parameter is passed to a database query without proper sanitization. An authenticated remote attacker can manipulate this parameter to inject arbitrary SQL statements. The exploit details have been disclosed publicly, increasing the risk of opportunistic attacks against exposed installations. The weakness is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers with low-privilege accounts can extract, modify, or destroy data stored in the Tongda OA database through crafted requests to check_seal.php.
Affected Products
- Tongda2000 Office Anywhere versions up to and including 11.10
- Component: /pda/approve_center/check_seal.php
- CPE: cpe:2.3:a:tongda2000:office_anywhere:*:*:*:*:*:*:*:*
Discovery Timeline
- 2024-11-01 - CVE-2024-10658 published to the National Vulnerability Database
- 2024-11-04 - Last updated in NVD database
Technical Details for CVE-2024-10658
Vulnerability Analysis
The vulnerability resides in the mobile approval module of Tongda OA, specifically the check_seal.php script under /pda/approve_center/. The application accepts an ID parameter from the HTTP request and concatenates it directly into a SQL query. Because the value is not validated, parameterized, or escaped, an attacker can break out of the intended query context. The attack requires network access to the application and a low-privilege authenticated session. Successful exploitation allows the attacker to retrieve sensitive database contents, bypass authentication logic, or modify approval records. The flaw is classified as CWE-89.
Root Cause
The root cause is improper neutralization of user-controlled input before it is incorporated into a SQL statement. The ID argument in check_seal.php is trusted by the backend and inserted into a query string without prepared statements or input filtering. This pattern is common in legacy PHP applications that build queries through string concatenation.
Attack Vector
The attack is delivered remotely over HTTP or HTTPS. An attacker sends a crafted request to the /pda/approve_center/check_seal.php endpoint with a malicious payload in the ID parameter. Typical payloads include UNION SELECT statements to enumerate database tables, boolean-based blind injections to extract data character by character, or stacked queries depending on the database driver in use. Public proof-of-concept material is referenced in the GitHub Issue Report and the VulDB entry.
No verified exploit code is reproduced here. Refer to the linked advisories for technical payload details.
Detection Methods for CVE-2024-10658
Indicators of Compromise
- HTTP requests to /pda/approve_center/check_seal.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the ID parameter.
- Web server access logs showing unusually long ID values or URL-encoded SQL keywords (%27, %20UNION%20).
- Database error messages returned to clients referencing MySQL syntax or column counts.
- Spikes in query latency or unusual outbound data volume from the Tongda OA server.
Detection Strategies
- Deploy WAF or IPS signatures that inspect query parameters to check_seal.php for SQL injection patterns.
- Enable database audit logging and alert on unexpected INFORMATION_SCHEMA queries originating from the OA application user.
- Correlate authentication events with subsequent malformed requests to identify low-privilege accounts probing the endpoint.
Monitoring Recommendations
- Forward web server, application, and database logs to a centralized analytics platform for correlation.
- Establish a baseline of normal ID parameter values and alert on deviations such as non-numeric input.
- Monitor for new or modified rows in approval and seal-related tables outside of normal business workflows.
How to Mitigate CVE-2024-10658
Immediate Actions Required
- Restrict access to the /pda/ directory using network ACLs or reverse proxy rules until a vendor patch is applied.
- Audit Tongda OA user accounts and disable any unused low-privilege accounts that could be leveraged for exploitation.
- Review database logs for evidence of prior exploitation, focusing on queries originating from the application service account.
Patch Information
No vendor advisory or fixed version has been published in the referenced sources at the time of CVE assignment. Administrators should monitor the Tongda OA vendor channels and the VulDB entry for patch releases. Until a fix is available, compensating controls are required.
Workarounds
- Place a web application firewall in front of Tongda OA and block requests to check_seal.php that contain SQL keywords or non-numeric ID values.
- Limit the database user account used by Tongda OA to least privilege, removing rights to INFORMATION_SCHEMA, FILE, and DDL operations where possible.
- Require VPN or IP allowlisting for access to the mobile approval module to reduce the exposed attack surface.
# Example nginx rule to block non-numeric ID values to the vulnerable endpoint
location /pda/approve_center/check_seal.php {
if ($arg_ID !~ "^[0-9]+$") {
return 403;
}
proxy_pass http://tongda_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
