He1D1

**Name of the Vulnerable Software and Affected Versions** Tongda OA 2017 up to 11.10 **Description** A critical vulnerability was found in the General News component of Tongda OA. The issue affects an unknown function of the file /manage/delete query.php. The manipulation of the `NEWS ID` argument leads to sql injection. The exploit has been disclosed to the public. The vendor was contacted about this disclosure but did not respond. **Recommendations** For Tongda OA 2017 up to 11.10, as a temporary workaround, consider restricting access to the /manage/delete query.php file until a patch is available. Avoid using the `NEWS ID` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.