QwikSec

Security Database

CVE

CWE

Training

CVE-2021-4461

Published: Oct 30, 2025

Modified: Nov 28, 2025

PUBLISHED

Description

Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.

Vendor	Product	Versions
Seeyon	Zhiyuan OA Web Application System	affected `0 - <= 7.0 SP1`

Weaknesses (CWE)

References

https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg

exploit

https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml

exploit

https://github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb893dcaee01447afa8c0/http/misconfiguration/seeyon-unauth.yaml#L20

exploit

https://www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-authentication-bypass

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.