CNVD-2021-01627
Vulnerability from cnvd - Published: 2021-02-20
VLAI
Title
致远OA系统存在文件上传漏洞(CNVD-2021-01627)
Description
致远OA是一款协同管理软件,是面向中型、大型集团型组织的数字化协同运营平台。
致远OA系统存在文件上传漏洞。该漏洞是由于部分接口存在未授权访问漏洞,可以在无需登录的情况下直接上传任意文件。未经身份验证的攻击者利用该漏洞远程发送精心构造的后门文件,获得目标服务器的权限,在目标系统上执行任意代码,实现远程代码执行。
Severity
高
Patch Name
致远OA系统存在文件上传漏洞的补丁
Patch Description
致远OA是一款协同管理软件,是面向中型、大型集团型组织的数字化协同运营平台。
致远OA系统存在文件上传漏洞。该漏洞是由于部分接口存在未授权访问漏洞,可以在无需登录的情况下直接上传任意文件。未经身份验证的攻击者利用该漏洞远程发送精心构造的后门文件,获得目标服务器的权限,在目标系统上执行任意代码,实现远程代码执行。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前,致远OA官方已发布新版本修复此漏洞,CNVD建议用户立即升级至最新版本: http://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=1
Impacted products
| Name | ['北京致远互联软件股份有限公司 致远OA A6', '北京致远互联软件股份有限公司 致远OA 6.0', '北京致远互联软件股份有限公司 致远OA 7.0', '北京致远互联软件股份有限公司 致远OA 8.0', '北京致远互联软件股份有限公司 致远OA 7.1', '北京致远互联软件股份有限公司 致远OA 7.1SP1', '北京致远互联软件股份有限公司 致远OA 7.0SP1', '北京致远互联软件股份有限公司 致远OA 7.0SP2', '北京致远互联软件股份有限公司 致远OA 7.0SP3', '北京致远互联软件股份有限公司 致远OA 6.1SP1', '北京致远互联软件股份有限公司 致远OA 6.1SP2', '北京致远互联软件股份有限公司 致远OA 5.x'] |
|---|
{
"description": "\u81f4\u8fdcOA\u662f\u4e00\u6b3e\u534f\u540c\u7ba1\u7406\u8f6f\u4ef6\uff0c\u662f\u9762\u5411\u4e2d\u578b\u3001\u5927\u578b\u96c6\u56e2\u578b\u7ec4\u7ec7\u7684\u6570\u5b57\u5316\u534f\u540c\u8fd0\u8425\u5e73\u53f0\u3002\n\n\u81f4\u8fdcOA\u7cfb\u7edf\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u90e8\u5206\u63a5\u53e3\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5728\u65e0\u9700\u767b\u5f55\u7684\u60c5\u51b5\u4e0b\u76f4\u63a5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdc\u7a0b\u53d1\u9001\u7cbe\u5fc3\u6784\u9020\u7684\u540e\u95e8\u6587\u4ef6\uff0c\u83b7\u5f97\u76ee\u6807\u670d\u52a1\u5668\u7684\u6743\u9650\uff0c\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
"discovererName": "\u8fdc\u6c5f\u76db\u90a6\uff08\u5317\u4eac\uff09\u7f51\u7edc\u5b89\u5168\u79d1\u6280\u80a1\u4efd\u6709\u9650\u516c\u53f8",
"formalWay": "\u76ee\u524d\uff0c\u81f4\u8fdcOA\u5b98\u65b9\u5df2\u53d1\u5e03\u65b0\u7248\u672c\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0cCNVD\u5efa\u8bae\u7528\u6237\u7acb\u5373\u5347\u7ea7\u81f3\u6700\u65b0\u7248\u672c\uff1a\r\nhttp://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81\u0026id=1",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-01627",
"openTime": "2021-02-20",
"patchDescription": "\u81f4\u8fdcOA\u662f\u4e00\u6b3e\u534f\u540c\u7ba1\u7406\u8f6f\u4ef6\uff0c\u662f\u9762\u5411\u4e2d\u578b\u3001\u5927\u578b\u96c6\u56e2\u578b\u7ec4\u7ec7\u7684\u6570\u5b57\u5316\u534f\u540c\u8fd0\u8425\u5e73\u53f0\u3002\r\n\r\n\u81f4\u8fdcOA\u7cfb\u7edf\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u90e8\u5206\u63a5\u53e3\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u5728\u65e0\u9700\u767b\u5f55\u7684\u60c5\u51b5\u4e0b\u76f4\u63a5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u8fdc\u7a0b\u53d1\u9001\u7cbe\u5fc3\u6784\u9020\u7684\u540e\u95e8\u6587\u4ef6\uff0c\u83b7\u5f97\u76ee\u6807\u670d\u52a1\u5668\u7684\u6743\u9650\uff0c\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "\u81f4\u8fdcOA\u7cfb\u7edf\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA A6",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 6.0",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 7.0",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 8.0",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 7.1",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 7.1SP1",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 7.0SP1",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 7.0SP2",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 7.0SP3",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 6.1SP1",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 6.1SP2",
"\u5317\u4eac\u81f4\u8fdc\u4e92\u8054\u8f6f\u4ef6\u80a1\u4efd\u6709\u9650\u516c\u53f8 \u81f4\u8fdcOA 5.x"
]
},
"serverity": "\u9ad8",
"submitTime": "2021-01-06",
"title": "\u81f4\u8fdcOA\u7cfb\u7edf\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff08CNVD-2021-01627\uff09"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…