CVE-2025-5140

Name of the Vulnerable Software and Affected Versions Seeyon Zhiyuan OA Web Application System versions up to 8.1 SP2

Description A critical vulnerability has been found in the Seeyon Zhiyuan OA Web Application System. This issue affects the this.oursNetService.getData function of the ThirdMenuController.class file. The manipulation of the url argument leads to server-side request forgery, allowing for remote attacks. The exploit has been publicly disclosed.

Recommendations For Seeyon Zhiyuan OA Web Application System versions up to 8.1 SP2, as a temporary workaround, consider disabling the this.oursNetService.getData function until a patch is available. Restrict access to the ThirdMenuController.class file to minimize the risk of exploitation. Avoid using the url argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.