Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for oa_web_application_system by seeyon

    CVE-2025-15447 (GCVE-0-2025-15447)

    Vulnerability from nvd – Published: 2026-01-04 23:32 – Updated: 2026-02-02 06:53
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-02-02T06:53:43.582Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15447",
        "datePublished": "2026-01-04T23:32:07.098Z",
        "dateRejected": "2026-02-02T06:53:43.582Z",
        "dateReserved": "2026-01-04T08:35:11.394Z",
        "dateUpdated": "2026-02-02T06:53:43.582Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15446 (GCVE-0-2025-15446)

    Vulnerability from nvd – Published: 2026-01-04 23:02 – Updated: 2026-02-02 06:53
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-02-02T06:53:41.477Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15446",
        "datePublished": "2026-01-04T23:02:08.276Z",
        "dateRejected": "2026-02-02T06:53:41.477Z",
        "dateReserved": "2026-01-04T08:35:08.234Z",
        "dateUpdated": "2026-02-02T06:53:41.477Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15427 (GCVE-0-2025-15427)

    Vulnerability from nvd – Published: 2026-01-02 04:02 – Updated: 2026-02-02 06:53
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-02-02T06:53:21.085Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15427",
        "datePublished": "2026-01-02T04:02:06.172Z",
        "dateRejected": "2026-02-02T06:53:21.085Z",
        "dateReserved": "2026-01-01T11:19:01.442Z",
        "dateUpdated": "2026-02-02T06:53:21.085Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-4531 (GCVE-0-2025-4531)

    Vulnerability from nvd – Published: 2025-05-11 05:31 – Updated: 2025-05-12 13:50
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System Beetl Template EhrSalaryPayrollServiceImpl.class postData code injection
    Summary
    A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been rated as critical. Affected by this issue is the function postData of the file ROOT\WEB-INF\classes\com\ours\www\ehr\salary\service\data\EhrSalaryPayrollServiceImpl.class of the component Beetl Template Handler. The manipulation of the argument payrollId leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.308276 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.308276 signaturepermissions-required
    https://vuldb.com/?submit.566097 third-party-advisory
    https://wx.mail.qq.com/s?k=iGTE4n4wT2AEdHPxOR exploit
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4531",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T13:50:12.976261Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T13:50:33.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Beetl Template Handler"
              ],
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been rated as critical. Affected by this issue is the function postData of the file ROOT\\WEB-INF\\classes\\com\\ours\\www\\ehr\\salary\\service\\data\\EhrSalaryPayrollServiceImpl.class of the component Beetl Template Handler. The manipulation of the argument payrollId leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Eine kritische Schwachstelle wurde in Seeyon Zhiyuan OA Web Application System 8.1 SP2 ausgemacht. Es geht hierbei um die Funktion postData der Datei ROOT\\WEB-INF\\classes\\com\\ours\\www\\ehr\\salary\\service\\data\\EhrSalaryPayrollServiceImpl.class der Komponente Beetl Template Handler. Dank Manipulation des Arguments payrollId mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-11T05:31:06.887Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-308276 | Seeyon Zhiyuan OA Web Application System Beetl Template EhrSalaryPayrollServiceImpl.class postData code injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.308276"
            },
            {
              "name": "VDB-308276 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.308276"
            },
            {
              "name": "Submit #566097 | Seeyon Seeyon Zhiyuan OA Application V8.1 SP2 Remote Arbitrary Command Execution Vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.566097"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=iGTE4n4wT2AEdHPxOR"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-10T07:47:44.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System Beetl Template EhrSalaryPayrollServiceImpl.class postData code injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4531",
        "datePublished": "2025-05-11T05:31:06.887Z",
        "dateReserved": "2025-05-10T05:42:30.663Z",
        "dateUpdated": "2025-05-12T13:50:33.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-4529 (GCVE-0-2025-4529)

    Vulnerability from nvd – Published: 2025-05-11 04:00 – Updated: 2025-05-12 14:00
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System ZIP File M3CoreController.class download path traversal
    Summary
    A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been classified as problematic. Affected is the function Download of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\WEB-INF\lib\seeyon-apps-m3.jar!\com\seeyon\apps\m3\core\controller\M3CoreController.class of the component ZIP File Handler. The manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.308274 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.308274 signaturepermissions-required
    https://vuldb.com/?submit.565379 third-party-advisory
    https://wx.mail.qq.com/s?k=h3jd6HR4UnUJxQZ0RG exploit
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4529",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T14:00:16.648656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T14:00:29.397Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "ZIP File Handler"
              ],
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been classified as problematic. Affected is the function Download of the file seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\WEB-INF\\lib\\seeyon-apps-m3.jar!\\com\\seeyon\\apps\\m3\\core\\controller\\M3CoreController.class of the component ZIP File Handler. The manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in Seeyon Zhiyuan OA Web Application System 8.1 SP2 ausgemacht. Betroffen hiervon ist die Funktion Download der Datei seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\WEB-INF\\lib\\seeyon-apps-m3.jar!\\com\\seeyon\\apps\\m3\\core\\controller\\M3CoreController.class der Komponente ZIP File Handler. Durch Beeinflussen des Arguments Name mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-11T04:00:08.206Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-308274 | Seeyon Zhiyuan OA Web Application System ZIP File M3CoreController.class download path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.308274"
            },
            {
              "name": "VDB-308274 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.308274"
            },
            {
              "name": "Submit #565379 | Seeyon Zhiyuan OA Web Application System V8.1 SP2 Path Traversal Vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.565379"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=h3jd6HR4UnUJxQZ0RG"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-10T07:38:59.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System ZIP File M3CoreController.class download path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4529",
        "datePublished": "2025-05-11T04:00:08.206Z",
        "dateReserved": "2025-05-10T05:33:56.295Z",
        "dateUpdated": "2025-05-12T14:00:29.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-4000 (GCVE-0-2025-4000)

    Vulnerability from nvd – Published: 2025-04-28 04:00 – Updated: 2025-04-28 18:03
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System ssoproxy.jsp cross site scripting
    Summary
    A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\ssoproxy\jsp\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.306336 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.306336 signaturepermissions-required
    https://vuldb.com/?submit.558067 third-party-advisory
    https://wx.mail.qq.com/s?k=g1PB2UUAekANSMkHzr exploit
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4000",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-28T18:02:59.244413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-28T18:03:05.287Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\ssoproxy\\jsp\\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Es wurde eine Schwachstelle in Seeyon Zhiyuan OA Web Application System 8.1 SP2 gefunden. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Datei seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\ssoproxy\\jsp\\ssoproxy.jsp. Durch Manipulieren des Arguments Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-28T04:00:07.125Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-306336 | Seeyon Zhiyuan OA Web Application System ssoproxy.jsp cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.306336"
            },
            {
              "name": "VDB-306336 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.306336"
            },
            {
              "name": "Submit #558067 | Seeyon Zhiyuan OA Web Application System V8.1 SP2 Cross Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.558067"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=g1PB2UUAekANSMkHzr"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-04-26T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-04-26T10:29:00.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System ssoproxy.jsp cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4000",
        "datePublished": "2025-04-28T04:00:07.125Z",
        "dateReserved": "2025-04-26T08:23:54.171Z",
        "dateUpdated": "2025-04-28T18:03:05.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3999 (GCVE-0-2025-3999)

    Vulnerability from nvd – Published: 2025-04-28 03:31 – Updated: 2025-05-12 15:48
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting
    Summary
    A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\common\js\addDate\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3999",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-28T18:02:23.276753Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T15:48:09.762Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "URL Parameter Handler"
              ],
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\common\\js\\addDate\\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in Seeyon Zhiyuan OA Web Application System 8.1 SP2 entdeckt. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Datei seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\common\\js\\addDate\\date.jsp der Komponente URL Parameter Handler. Durch das Manipulieren mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-28T03:31:06.407Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-306335 | Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/?id.306335"
            },
            {
              "name": "VDB-306335 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.306335"
            },
            {
              "name": "Submit #557987 | Seeyon Zhiyuan OA application system V8.1 SP2 DOM type XSS Cross-Site Request",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.557987"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=-ET_wl44c0s1Drppsy"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-04-26T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-04-26T10:28:59.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-3999",
        "datePublished": "2025-04-28T03:31:06.407Z",
        "dateReserved": "2025-04-26T08:23:51.846Z",
        "dateUpdated": "2025-05-12T15:48:09.762Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-15447 (GCVE-0-2025-15447)

    Vulnerability from cvelistv5 – Published: 2026-01-04 23:32 – Updated: 2026-02-02 06:53
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-02-02T06:53:43.582Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15447",
        "datePublished": "2026-01-04T23:32:07.098Z",
        "dateRejected": "2026-02-02T06:53:43.582Z",
        "dateReserved": "2026-01-04T08:35:11.394Z",
        "dateUpdated": "2026-02-02T06:53:43.582Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15446 (GCVE-0-2025-15446)

    Vulnerability from cvelistv5 – Published: 2026-01-04 23:02 – Updated: 2026-02-02 06:53
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-02-02T06:53:41.477Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15446",
        "datePublished": "2026-01-04T23:02:08.276Z",
        "dateRejected": "2026-02-02T06:53:41.477Z",
        "dateReserved": "2026-01-04T08:35:08.234Z",
        "dateUpdated": "2026-02-02T06:53:41.477Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-15427 (GCVE-0-2025-15427)

    Vulnerability from cvelistv5 – Published: 2026-01-02 04:02 – Updated: 2026-02-02 06:53
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-02-02T06:53:21.085Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: The vendor mentioned in the original disclosure filed a report that this issue affects a different vendor. The researcher was not able to provide a proof for his disputed claim which is why the CNA decided to revoke the whole entry."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-15427",
        "datePublished": "2026-01-02T04:02:06.172Z",
        "dateRejected": "2026-02-02T06:53:21.085Z",
        "dateReserved": "2026-01-01T11:19:01.442Z",
        "dateUpdated": "2026-02-02T06:53:21.085Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-4531 (GCVE-0-2025-4531)

    Vulnerability from cvelistv5 – Published: 2025-05-11 05:31 – Updated: 2025-05-12 13:50
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System Beetl Template EhrSalaryPayrollServiceImpl.class postData code injection
    Summary
    A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been rated as critical. Affected by this issue is the function postData of the file ROOT\WEB-INF\classes\com\ours\www\ehr\salary\service\data\EhrSalaryPayrollServiceImpl.class of the component Beetl Template Handler. The manipulation of the argument payrollId leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.308276 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.308276 signaturepermissions-required
    https://vuldb.com/?submit.566097 third-party-advisory
    https://wx.mail.qq.com/s?k=iGTE4n4wT2AEdHPxOR exploit
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4531",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T13:50:12.976261Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T13:50:33.139Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Beetl Template Handler"
              ],
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been rated as critical. Affected by this issue is the function postData of the file ROOT\\WEB-INF\\classes\\com\\ours\\www\\ehr\\salary\\service\\data\\EhrSalaryPayrollServiceImpl.class of the component Beetl Template Handler. The manipulation of the argument payrollId leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Eine kritische Schwachstelle wurde in Seeyon Zhiyuan OA Web Application System 8.1 SP2 ausgemacht. Es geht hierbei um die Funktion postData der Datei ROOT\\WEB-INF\\classes\\com\\ours\\www\\ehr\\salary\\service\\data\\EhrSalaryPayrollServiceImpl.class der Komponente Beetl Template Handler. Dank Manipulation des Arguments payrollId mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-11T05:31:06.887Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-308276 | Seeyon Zhiyuan OA Web Application System Beetl Template EhrSalaryPayrollServiceImpl.class postData code injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.308276"
            },
            {
              "name": "VDB-308276 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.308276"
            },
            {
              "name": "Submit #566097 | Seeyon Seeyon Zhiyuan OA Application V8.1 SP2 Remote Arbitrary Command Execution Vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.566097"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=iGTE4n4wT2AEdHPxOR"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-10T07:47:44.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System Beetl Template EhrSalaryPayrollServiceImpl.class postData code injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4531",
        "datePublished": "2025-05-11T05:31:06.887Z",
        "dateReserved": "2025-05-10T05:42:30.663Z",
        "dateUpdated": "2025-05-12T13:50:33.139Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-4529 (GCVE-0-2025-4529)

    Vulnerability from cvelistv5 – Published: 2025-05-11 04:00 – Updated: 2025-05-12 14:00
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System ZIP File M3CoreController.class download path traversal
    Summary
    A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been classified as problematic. Affected is the function Download of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\WEB-INF\lib\seeyon-apps-m3.jar!\com\seeyon\apps\m3\core\controller\M3CoreController.class of the component ZIP File Handler. The manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.308274 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.308274 signaturepermissions-required
    https://vuldb.com/?submit.565379 third-party-advisory
    https://wx.mail.qq.com/s?k=h3jd6HR4UnUJxQZ0RG exploit
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4529",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-12T14:00:16.648656Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T14:00:29.397Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "ZIP File Handler"
              ],
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been classified as problematic. Affected is the function Download of the file seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\WEB-INF\\lib\\seeyon-apps-m3.jar!\\com\\seeyon\\apps\\m3\\core\\controller\\M3CoreController.class of the component ZIP File Handler. The manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Es wurde eine problematische Schwachstelle in Seeyon Zhiyuan OA Web Application System 8.1 SP2 ausgemacht. Betroffen hiervon ist die Funktion Download der Datei seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\WEB-INF\\lib\\seeyon-apps-m3.jar!\\com\\seeyon\\apps\\m3\\core\\controller\\M3CoreController.class der Komponente ZIP File Handler. Durch Beeinflussen des Arguments Name mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-11T04:00:08.206Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-308274 | Seeyon Zhiyuan OA Web Application System ZIP File M3CoreController.class download path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.308274"
            },
            {
              "name": "VDB-308274 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.308274"
            },
            {
              "name": "Submit #565379 | Seeyon Zhiyuan OA Web Application System V8.1 SP2 Path Traversal Vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.565379"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=h3jd6HR4UnUJxQZ0RG"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-05-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-05-10T07:38:59.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System ZIP File M3CoreController.class download path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4529",
        "datePublished": "2025-05-11T04:00:08.206Z",
        "dateReserved": "2025-05-10T05:33:56.295Z",
        "dateUpdated": "2025-05-12T14:00:29.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-4000 (GCVE-0-2025-4000)

    Vulnerability from cvelistv5 – Published: 2025-04-28 04:00 – Updated: 2025-04-28 18:03
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System ssoproxy.jsp cross site scripting
    Summary
    A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\ssoproxy\jsp\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.306336 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.306336 signaturepermissions-required
    https://vuldb.com/?submit.558067 third-party-advisory
    https://wx.mail.qq.com/s?k=g1PB2UUAekANSMkHzr exploit
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-4000",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-28T18:02:59.244413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-28T18:03:05.287Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. Affected is an unknown function of the file seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\ssoproxy\\jsp\\ssoproxy.jsp. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Es wurde eine Schwachstelle in Seeyon Zhiyuan OA Web Application System 8.1 SP2 gefunden. Sie wurde als problematisch eingestuft. Hiervon betroffen ist ein unbekannter Codeblock der Datei seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\ssoproxy\\jsp\\ssoproxy.jsp. Durch Manipulieren des Arguments Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-28T04:00:07.125Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-306336 | Seeyon Zhiyuan OA Web Application System ssoproxy.jsp cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.306336"
            },
            {
              "name": "VDB-306336 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.306336"
            },
            {
              "name": "Submit #558067 | Seeyon Zhiyuan OA Web Application System V8.1 SP2 Cross Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.558067"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=g1PB2UUAekANSMkHzr"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-04-26T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-04-26T10:29:00.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System ssoproxy.jsp cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-4000",
        "datePublished": "2025-04-28T04:00:07.125Z",
        "dateReserved": "2025-04-26T08:23:54.171Z",
        "dateUpdated": "2025-04-28T18:03:05.287Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3999 (GCVE-0-2025-3999)

    Vulnerability from cvelistv5 – Published: 2025-04-28 03:31 – Updated: 2025-05-12 15:48
    VLAI
    Title
    Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting
    Summary
    A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\common\js\addDate\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Credits
    caichaoxiong (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3999",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-28T18:02:23.276753Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-12T15:48:09.762Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "URL Parameter Handler"
              ],
              "product": "Zhiyuan OA Web Application System",
              "vendor": "Seeyon",
              "versions": [
                {
                  "status": "affected",
                  "version": "8.1 SP2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "caichaoxiong (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\common\\js\\addDate\\date.jsp of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in Seeyon Zhiyuan OA Web Application System 8.1 SP2 entdeckt. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Datei seeyon\\opt\\Seeyon\\A8\\ApacheJetspeed\\webapps\\seeyon\\common\\js\\addDate\\date.jsp der Komponente URL Parameter Handler. Durch das Manipulieren mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-28T03:31:06.407Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-306335 | Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/?id.306335"
            },
            {
              "name": "VDB-306335 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.306335"
            },
            {
              "name": "Submit #557987 | Seeyon Zhiyuan OA application system V8.1 SP2 DOM type XSS Cross-Site Request",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.557987"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://wx.mail.qq.com/s?k=-ET_wl44c0s1Drppsy"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-04-26T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-04-26T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-04-26T10:28:59.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-3999",
        "datePublished": "2025-04-28T03:31:06.407Z",
        "dateReserved": "2025-04-26T08:23:51.846Z",
        "dateUpdated": "2025-05-12T15:48:09.762Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }