CVE-2021-4461

CRITICAL EXPLOITED

Seeyon Zhiyuan OA Web App <7.0 SP1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-4461 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.

Scores

CVSS v4 9.3
EPSS 0.0060
EPSS Percentile 44.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-10-30
CWE
CWE-306
Status published
Products (1)
Seeyon/Zhiyuan OA Web Application System < 7.0 SP1
Published Oct 30, 2025
Tracked Since Feb 18, 2026