Vulnerability Description
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
Related Weaknesses (CWE)
References
- https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/po
- https://github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb8
- https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresg
- https://www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-au
FAQ
What is CVE-2021-4461?
CVE-2021-4461 is a documented vulnerability. Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session a...
How severe is CVE-2021-4461?
CVSS scoring is not yet available for CVE-2021-4461. Check NVD for updates.
Is there a patch for CVE-2021-4461?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.