Scan free
LOWCVE-2023-5026CVSS 3.5

CVE-2023-5026: XSS in Tongda OA 11.10

Platform

php

Fixed in

11.10.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2023-5026 is a cross-site scripting (XSS) vulnerability affecting Tongda OA versions 11.10. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or data theft. The vulnerability resides in the /general/ipanel/menu_code.php endpoint and is addressed in version 11.10.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2023-5026 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal sensitive information, such as session cookies, which would grant the attacker unauthorized access to the user's account. Furthermore, the attacker could redirect users to malicious websites, deface the application, or inject malware. The impact is amplified if the application is used to manage sensitive data or handle financial transactions, as an attacker could potentially gain access to confidential information or manipulate critical operations. The remote nature of the vulnerability means an attacker does not need to be on the same network as the server to exploit it.

Exploitation Context

This vulnerability has been publicly disclosed, and a proof-of-concept may be available. While the CVSS score is LOW, the ease of exploitation and potential impact warrant prompt remediation. As of the publication date (2023-09-17), there are no reports of active exploitation campaigns targeting this specific vulnerability, but the public disclosure increases the risk of opportunistic attacks.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard10–15% still vulnerable

EPSS

0.07% (21% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

VendorTongda
Affected rangeFixed in
11.10 – 11.1011.10.1

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2023-5026 is to upgrade Tongda OA to version 11.10.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the OASUBWINDOW parameter to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to block requests containing suspicious patterns in the OASUBWINDOW parameter. Regularly review and update security policies to ensure they address XSS vulnerabilities.

How to fix

Update Tongda OA to a version later than 11.10 that has fixed the XSS vulnerability. Consult the vendor's website for the latest version and upgrade instructions. As a temporary measure, you can implement input filtering rules for the OA_SUB_WINDOW parameter to prevent the injection of malicious code.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2023-5026 — XSS in Tongda OA 11.10?

CVE-2023-5026 is a cross-site scripting (XSS) vulnerability in Tongda OA versions 11.10, allowing attackers to inject malicious scripts via the OASUBWINDOW parameter in the /general/ipanel/menu_code.php endpoint.

Am I affected by CVE-2023-5026 in Tongda OA 11.10?

You are affected if you are running Tongda OA version 11.10. Upgrade to version 11.10.1 or later to mitigate the risk.

How do I fix CVE-2023-5026 in Tongda OA 11.10?

Upgrade Tongda OA to version 11.10.1 or later. As a temporary workaround, implement input validation and output encoding on the OASUBWINDOW parameter.

Is CVE-2023-5026 being actively exploited?

While there are no confirmed reports of active exploitation, the vulnerability has been publicly disclosed, increasing the risk of opportunistic attacks.

Where can I find the official Tongda OA advisory for CVE-2023-5026?

Refer to the Tongda OA official website or security advisories for the latest information and updates regarding CVE-2023-5026.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs