CVE-2021-4461
Seeyon Zhiyuan OA Web Application System < 7.0 SP1 Authentication Bypass
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- October 30, 2025
- Published Date
- October 30, 2025
- Last Updated
- November 28, 2025
- Vendor
- Seeyon
- Product
- Zhiyuan OA Web Application System
- Description
- Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
CVSS Scores
CVSS v4.0
9.3 - CRITICAL
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SSVC Information
- Exploitation
- none
- Automatable
- Yes
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (2026-06-01 10:43:10 UTC) Source
References
https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg
https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml
https://github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb893dcaee01447afa8c0/http/misconfiguration/seeyon-unauth.yaml#L20
https://www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-authentication-bypass
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CVE | 2026-06-01 10:43:10 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel