PT-2025-44459 · Seeyon · Seeyon Zhiyuan Oa
Published
2025-10-30
·
Updated
2025-11-28
·
CVE-2021-4461
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1
Description
The software does not properly decode and parse the
enc parameter in the thirdpartyController.do endpoint. The decoded map values can influence session attributes without sufficient authentication or authorization checks, allowing attackers to assign a session to arbitrary user IDs. This issue has been observed being exploited in the wild. The vulnerable endpoint is /thirdpartyController.do. The enc parameter is vulnerable.Recommendations
Versions prior to 7.0 SP1 should be used.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Seeyon Zhiyuan Oa