Seeyon Zhiyuan OA v7.0 SP1: Session hijack via thirdpartyController.do
CVE-2021-4461 Published on October 30, 2025
Seeyon Zhiyuan OA Web Application System < 7.0 SP1 Authentication Bypass
Seeyon Zhiyuan OA Web Application System versions up to and including 7.0 SP1 improperly decode and parse the `enc` parameter in thirdpartyController.do. The decoded map values can influence session attributes without sufficient authentication/authorization checks, enabling attackers to assign a session to arbitrary user IDs. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:40.855917 UTC.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2021-4461
Want to know whenever a new CVE is published for Seeyon Zhiyuan Oa Web Application System? stack.watch will email you.
Affected Versions
Seeyon Zhiyuan OA Web Application System:- Before and including 7.0 SP1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.