| Название | Seeyon Zhiyuan OA application system V8.1 SP2 DOM type XSS Cross-Site Request |
|---|
| Описание | 1.Vulnerability name: Seeyon OA application system has DOM-type XSS cross-site request vulnerability
2.Vulnerability submitter and contributor: 蔡超雄(caichaoxiong)
3.Vendor: Seeyon Zhiyuan OA
4.Affected product versions:
Seeyon Zhiyuan OA application system product version number: V8.1 SP2.
5.Vulnerability Description
In the date.htm and date.jsp of Seeyon Zhiyuan OA application system (V8 SP2), because no security measures such as input filtering and output encoding are taken, attackers can obtain URL parameters through document.location.search. The background does not filter the URL parameters, resulting in the use of the eval function, triggering a DOM-type XSS cross-site request forgery vulnerability, which can steal sensitive data such as Cookies and session tokens, and can be used in conjunction with other vulnerabilities and attack methods to penetrate, forge a legitimate identity to log in to the system, and inject malicious content (such as fake forms, phishing links) to induce users to interact twice. |
|---|
| Источник | ⚠️ https://wx.mail.qq.com/s?k=-ET_wl44c0s1Drppsy |
|---|
| Пользователь | caichaoxiong (UID 84060) |
|---|
| Представление | 15.04.2025 05:44 (1 Год назад) |
|---|
| Модерация | 26.04.2025 10:23 (11 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 306335 [Seeyon Zhiyuan OA Web Application System 8.1 SP2 URL Parameter date.jsp межсайтовый скриптинг] |
|---|
| Баллы | 17 |
|---|