CVE-2025-15427

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Seeyon Zhiyuan OA Web Application System versions prior to 20251222

Description A security flaw exists in Seeyon Zhiyuan OA Web Application System. The issue involves a SQL injection impacting an unknown function within the file /carManager/carUseDetailList.j%73p. Manipulation of the CAR BRAND NO argument can lead to SQL injection. The attack can be performed remotely, and the exploit has been publicly released. The vendor was contacted but did not respond.

Recommendations Versions prior to 20251222 should be updated. As a temporary workaround, restrict access to the /carManager/carUseDetailList.j%73p file. Avoid using the CAR BRAND NO parameter until the issue is resolved.

Exploit

Fix

SQL injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-74

Related Identifiers

CVE-2025-15427

Affected Products

Seeyon Zhiyuan Oa

CVE-2025-15427

Weakness Enumeration

Related Identifiers

Affected Products

References · 13