关键信息 1. 漏洞名称: - TONGDA OA UP TO 11.6 WEB_SHOW.PHP ID SQL INJECTION 2. 漏洞编号: - VDB-282899 - CVE-2024-10730 3. CVSS Meta Temp Score: - 6.0 4. 当前利用价格: - $0-$5k 5. CTI兴趣评分: - 2.54 6. 漏洞描述: - A vulnerability, which was classified as critical, has been found in Tongda OA up to 11.6. This issue affects an unknown functionality of the file /pda/appcenter/web_show.php. The manipulation of the argument ID with an unknown input leads to a sql injection vulnerability. Using CWE to declare the problem leads to CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The summary by CVE is: - A vulnerability, which was classified as critical, has been found in Tongda OA up to 11.6. This issue affects some unknown processing of the file /pda/appcenter/web_show.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 7. 漏洞识别: - The identification of this vulnerability is CVE-2024-10730. The exploitation is known to be easy. The attack may be initiated remotely. Technical details as well as a public exploit are known. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK. 8. 漏洞利用: - The exploit is available at github.com. It is declared as proof-of-concept. By approaching the search of inurl:pda/appcenter/web_show.php it is possible to find vulnerable targets with Google Hacking. 9. 建议措施: - There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. 产品信息 产品: - Vendor (供应商) 其他信息 版权: - © 1997-2024 vuldb.com - cc by-nc-sa 语言选项: - de, fr, it, es, pt, ru, pl, sv, zh, ja, ar 版本: - v18.9.5