CVE-2021-4461
CRITICAL EXPLOITEDSeeyon Zhiyuan OA Web App <7.0 SP1 - Info Disclosure
Title source: llmExploitation Summary
CVE-2021-4461 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
References (4)
Core 3Other ecosystem 1
Core References
Various Sources exploit
https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.yml
Various Sources exploit
https://github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb893dcaee01447afa8c0/http/misconfiguration/seeyon-unauth.yaml#L20
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-authentication-bypass
Other Ecosystem Writeups (1)
Various Sources exploit
https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg
Scores
CVSS v4
9.3
EPSS
0.0060
EPSS Percentile
44.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2025-10-30
CWE
CWE-306
Status
published
Products (1)
Seeyon/Zhiyuan OA Web Application System
< 7.0 SP1
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026