| 标题 | Seeyon Zhiyuan OA application system V8.1 SP2 DOM type XSS Cross-Site Request |
|---|
| 描述 | 1.Vulnerability name: Seeyon OA application system has DOM-type XSS cross-site request vulnerability
2.Vulnerability submitter and contributor: 蔡超雄(caichaoxiong)
3.Vendor: Seeyon Zhiyuan OA
4.Affected product versions:
Seeyon Zhiyuan OA application system product version number: V8.1 SP2.
5.Vulnerability Description
In the date.htm and date.jsp of Seeyon Zhiyuan OA application system (V8 SP2), because no security measures such as input filtering and output encoding are taken, attackers can obtain URL parameters through document.location.search. The background does not filter the URL parameters, resulting in the use of the eval function, triggering a DOM-type XSS cross-site request forgery vulnerability, which can steal sensitive data such as Cookies and session tokens, and can be used in conjunction with other vulnerabilities and attack methods to penetrate, forge a legitimate identity to log in to the system, and inject malicious content (such as fake forms, phishing links) to induce users to interact twice. |
|---|
| 来源 | ⚠️ https://wx.mail.qq.com/s?k=-ET_wl44c0s1Drppsy |
|---|
| 用户 | caichaoxiong (UID 84060) |
|---|
| 提交 | 2025-04-15 05時44分 (1 年前) |
|---|
| 管理 | 2025-04-26 10時23分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 306335 [Seeyon Zhiyuan OA Web Application System 8.1 SP2 URL Parameter date.jsp 跨网站脚本] |
|---|
| 积分 | 17 |
|---|