Seeyon Office Anywhere (OA) A8 Unauthenticated Arbitrary File Write via htmlofficeservlet

Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).

N/A

危险类型文件的不加限制上传

Seeyon OA A8 代码问题漏洞

Seeyon OA A8是中国致远（Seeyon）公司的一款协同办公管理系统。 Seeyon OA A8存在代码问题漏洞，该漏洞源于/seeyon/htmlofficeservlet端点存在未经身份验证的任意文件写入，可能导致远程攻击者通过特制POST请求写入任意文件至Web应用根目录，执行任意OS命令。

N/A

N/A