Critical severityNVD Advisory· Published Oct 30, 2025· Updated Apr 15, 2026
CVE-2021-4461
CVE-2021-4461
Description
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the enc parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=7.0 SP1
Patches
Vulnerability mechanics
References
4- github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.ymlnvd
- github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb893dcaee01447afa8c0/http/misconfiguration/seeyon-unauth.yamlnvd
- mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresgnvd
- www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-authentication-bypassnvd
News mentions
0No linked articles in our index yet.