Yuxiu

**Name of the Vulnerable Software and Affected Versions** Seeyon Zhiyuan OA Web Application System versions prior to 20251222 **Description** A security flaw exists in Seeyon Zhiyuan OA Web Application System. The issue involves a SQL injection impacting an unknown function within the file `/carManager/carUseDetailList.j%73p`. Manipulation of the `CAR BRAND NO` argument can lead to SQL injection. The attack can be performed remotely, and the exploit has been publicly released. The vendor was contacted but did not respond. **Recommendations** Versions prior to 20251222 should be updated. As a temporary workaround, restrict access to the `/carManager/carUseDetailList.j%73p` file. Avoid using the `CAR BRAND NO` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Yonyou KSOA version 9.0 **Description** A flaw exists in Yonyou KSOA 9.0 that allows for remote code execution. The issue stems from a SQL injection point within an unknown function in the `/kp/PrintZPYG.jsp` file. Specifically, manipulating the `zpjhid` argument can trigger the injection. The exploit for this issue is publicly available. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.