11.10.1
CVE-2023-5026 is a cross-site scripting (XSS) vulnerability affecting Tongda OA versions 11.10. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability resides in the /general/ipanel/menu_code.php endpoint and is addressed in version 11.10.1.
Successful exploitation of CVE-2023-5026 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal sensitive information, such as session cookies, which would grant the attacker unauthorized access to the user's account. Furthermore, the attacker could redirect users to malicious websites, deface the application, or inject malware. The impact is amplified if the application is used to manage sensitive data or handle financial transactions, as an attacker could potentially gain access to confidential information or manipulate critical operations. The remote nature of the vulnerability means an attacker does not need to be on the same network as the server to exploit it.
This vulnerability has been publicly disclosed, and a proof-of-concept may be available. While the CVSS score is LOW, the ease of exploitation and potential impact warrant prompt remediation. As of the publication date (2023-09-17), there are no reports of active exploitation campaigns targeting this specific vulnerability, but the public disclosure increases the risk of opportunistic attacks.
Organizations using Tongda OA version 11.10, particularly those with publicly accessible instances or those handling sensitive user data, are at risk. Shared hosting environments where multiple users share the same Tongda OA instance are also particularly vulnerable, as a compromise of one user's account could potentially affect others.
• generic web:
curl -I 'http://your-tongda-oa-server/general/ipanel/menu_code.php?MENU_TYPE=FAV&OA_SUB_WINDOW=<script>alert(1)</script>' | grep 'Content-Type:'• generic web:
curl 'http://your-tongda-oa-server/general/ipanel/menu_code.php?MENU_TYPE=FAV&OA_SUB_WINDOW=<script>alert(1)</script>' | grep '<script>'disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2023-5026 is to upgrade Tongda OA to version 11.10.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the OASUBWINDOW parameter to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to block requests containing suspicious patterns in the OASUBWINDOW parameter. Regularly review and update security policies to ensure they address XSS vulnerabilities.
Actualice Tongda OA a una versión posterior a la 11.10 que haya solucionado la vulnerabilidad XSS. Consulte el sitio web del proveedor para obtener la última versión y las instrucciones de actualización. Como medida temporal, puede implementar reglas de filtrado de entrada para el parámetro OA_SUB_WINDOW para evitar la inyección de código malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2023-5026 is a cross-site scripting (XSS) vulnerability in Tongda OA versions 11.10, allowing attackers to inject malicious scripts via the OASUBWINDOW parameter in the /general/ipanel/menu_code.php endpoint.
You are affected if you are running Tongda OA version 11.10. Upgrade to version 11.10.1 or later to mitigate the risk.
Upgrade Tongda OA to version 11.10.1 or later. As a temporary workaround, implement input validation and output encoding on the OASUBWINDOW parameter.
While there are no confirmed reports of active exploitation, the vulnerability has been publicly disclosed, increasing the risk of opportunistic attacks.
Refer to the Tongda OA official website or security advisories for the latest information and updates regarding CVE-2023-5026.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.