CVE-2023-7023 in OA 2017
Summary
by MITRE • 12/21/2023
A vulnerability was found in Tongda OA 2017 up to 11.9. It has been rated as critical. Affected by this issue is some unknown functionality of the file general/vehicle/query/delete.php. The manipulation of the argument VU_ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. VDB-248570 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/19/2025
The vulnerability identified as CVE-2023-7023 represents a critical sql injection flaw in Tongda OA versions 2017 through 11.9, specifically within the file general/vehicle/query/delete.php. This vulnerability stems from improper input validation of the VU_ID parameter, which allows attackers to manipulate database queries through maliciously crafted input. The flaw exists in the application's handling of user-supplied data, creating an exploitable pathway for unauthorized database access and potential data compromise.
The technical implementation of this vulnerability falls under CWE-89, which categorizes sql injection attacks as a fundamental weakness in application input validation. The attack vector is remote, meaning that malicious actors can exploit this vulnerability without requiring physical access to the target system. This remote exploit capability significantly increases the attack surface and potential impact, as attackers can target the vulnerable application from anywhere on the network. The vulnerability's classification as critical indicates the severity of potential consequences including data theft, unauthorized system access, and possible complete system compromise.
The operational impact of this vulnerability extends beyond simple data extraction, as sql injection attacks can enable attackers to escalate privileges, modify database contents, and potentially gain persistent access to the underlying system. The fact that an exploit has been publicly disclosed and is actively available increases the risk profile substantially, as it removes the element of exploit development from the attack equation. Organizations running affected versions of Tongda OA face immediate risk of compromise, particularly if they have not implemented additional security controls or network segmentation to protect these critical applications.
Mitigation strategies should prioritize the immediate upgrade to version 11.10 as recommended by the vendor, which contains the necessary patches to address this vulnerability. Additionally, network segmentation should be implemented to limit access to the vulnerable application, and proper input validation should be enforced through web application firewalls and security monitoring solutions. Organizations should also conduct comprehensive vulnerability assessments to identify other potentially affected systems within their environment and implement proper database access controls to limit the impact of successful attacks. The lack of vendor response to early disclosure attempts underscores the importance of proactive security measures and the need for organizations to maintain independent security monitoring capabilities.