CVE-2021-4461
published 2025-10-30CVE-2021-4461: Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The…
PriorityP181critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.60%
44.3th percentile
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | microsoft_365_apps_for_enterprise_for_32-bit_systems | — | — |
| msrc | microsoft_365_apps_for_enterprise_for_64-bit_systems | — | — |
| msrc | microsoft_office_2019_for_32-bit_editions | — | — |
| msrc | microsoft_office_2019_for_64-bit_editions | — | — |
| msrc | microsoft_outlook_2010_service_pack_2 | — | — |
| msrc | microsoft_outlook_2013_rt_service_pack_1 | — | — |
| msrc | microsoft_outlook_2013_service_pack_1 | — | — |
| msrc | microsoft_outlook_2016 | — | — |
| seeyon | zhiyuan_oa_web_application_system | <= 7.0 SP1 | — |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
vendor_msrc7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vjp9-58v6-m6fw: Seeyon Zhiyuan OA Web Application System versions up to and including 7
ghsa_unreviewed·2025-10-31
CVE-2021-4461 [CRITICAL] CWE-306 GHSA-vjp9-58v6-m6fw: Seeyon Zhiyuan OA Web Application System versions up to and including 7
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
VulnCheck
seeyon zhiyuan_oa_web_application_system Missing Authentication for Critical Function
vulncheck·2021·CVSS 9.3
CVE-2021-4461 [CRITICAL] seeyon zhiyuan_oa_web_application_system Missing Authentication for Critical Function
seeyon zhiyuan_oa_web_application_system Missing Authentication for Critical Function
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
Affected: seeyon zhiyuan_oa_web_application_system
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-20
Microsoft
Microsoft Outlook Memory Corruption Vulnerability
vendor_msrc·2021-04-13·CVSS 7.1
CVE-2021-28452 [HIGH] Microsoft Outlook Memory Corruption Vulnerability
Microsoft Outlook Memory Corruption Vulnerability
FAQ: Is the Preview Pane an attack vector for this vulnerability?
No, the Preview Pane is not an attack vector.
Microsoft Office Outlook: Microsoft Office Outlook
Microsoft: Microsoft
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Remediation: Click to Run
Reference: https://www.microsoft.com/downloads/details.aspx?familyid=8a77f591-8d6e-4461-b82f-226921e8b6d1
Reference: https://www.microsoft.com/downloads/details.aspx?familyid=f2e50154-9de0-48d8-bfd0-c34c0bb34c80
Reference: https://www.microsoft.com/downloads/details.aspx?familyid=47ce1a6d-075d-48d6-824b-1dc470bbd110
Reference: https://www.mic
No detection rules found.
No public exploits indexed.
https://github.com/chaitin/xray/blob/f90cf321bc4d294bbf6625a9c4853f3bfdf0a384/pocs/seeyon-oa-cookie-leak.ymlhttps://github.com/projectdiscovery/nuclei-templates/blob/1ca6b8e6fe225cbd46dcb893dcaee01447afa8c0/http/misconfiguration/seeyon-unauth.yaml#L20https://mp.weixin.qq.com/s/0AqdfTrZUVrwTMbKEKresghttps://www.vulncheck.com/advisories/seeyon-zhiyuan-oa-web-application-system-authentication-bypass
2025-10-30
Published
Exploited in the wild