CVE-2023-7180 in OA 2017info

Summary

by MITRE • 12/30/2023

A vulnerability has been found in Tongda OA 2017 up to 11.9 and classified as critical. Affected by this vulnerability is an unknown functionality of the file general/project/proj/delete.php. The manipulation of the argument PROJ_ID_STR leads to sql injection. The exploit has been disclosed to the public and may be used. Upgrading to version 11.10 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-249367. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 03/19/2025

The vulnerability identified as CVE-2023-7180 represents a critical sql injection flaw in the Tongda OA 2017 through 11.9 software suite, specifically within the general/project/proj/delete.php file. This vulnerability stems from improper input validation when processing the PROJ_ID_STR parameter, allowing malicious actors to manipulate database queries through crafted input values. The flaw exists in the application's handling of project identification strings during deletion operations, creating a pathway for unauthorized database access and potential data compromise. Security researchers have confirmed that exploitation of this vulnerability is publicly available, making it a significant risk for organizations utilizing affected versions of the software.

The technical implementation of this vulnerability aligns with CWE-89, which specifically addresses sql injection weaknesses in software applications. The flaw demonstrates how insufficient sanitization of user-supplied input can lead to arbitrary code execution and database manipulation. Attackers can exploit this by submitting malicious PROJ_ID_STR values that bypass normal input validation mechanisms, potentially enabling them to extract sensitive information, modify database records, or even escalate privileges within the affected system. The vulnerability's classification as critical reflects the potential for widespread impact across organizational databases and the relative ease of exploitation given the public disclosure of the attack vectors.

From an operational perspective, this vulnerability poses severe risks to organizations using Tongda OA systems, particularly those handling sensitive business data or confidential project information. The sql injection attack vector could enable unauthorized access to project records, user credentials, and potentially other organizational data stored within the database. The lack of vendor response to early disclosure attempts compounds the risk, leaving affected organizations without official patches or guidance during the vulnerability's active exploitation period. Organizations may face regulatory compliance issues if data breaches occur, as the vulnerability could result in unauthorized data access that violates privacy regulations and data protection standards.

Security organizations should implement immediate mitigations including input validation controls, web application firewall rules targeting the specific parameter, and network segmentation to limit access to affected systems. The recommended solution involves upgrading to version 11.10, which contains the necessary patches to address the sql injection vulnerability. Additionally, organizations should conduct comprehensive vulnerability assessments to identify other potential entry points and implement proper database access controls. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, emphasizing the need for proactive security measures and continuous monitoring of public exploit availability. Organizations must also consider implementing database activity monitoring solutions to detect anomalous query patterns that may indicate exploitation attempts.

Responsible

VulDB

Reservation

12/29/2023

Disclosure

12/30/2023

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00510

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!