CVE-2025-4529: Seeyon Zhiyuan OA Web Application System ZIP File M3CoreController.class download path traversal
Description
A vulnerability was found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. It has been classified as problematic. Affected is the function Download of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\WEB-INF\lib\seeyon-apps-m3.jar!\com\seeyon\apps\m3\core\controller\M3CoreController.class of the component ZIP File Handler. The manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine problematische Schwachstelle in Seeyon Zhiyuan OA Web Application System 8.1 SP2 ausgemacht. Betroffen hiervon ist die Funktion Download der Datei seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\WEB-INF\lib\seeyon-apps-m3.jar!\com\seeyon\apps\m3\core\controller\M3CoreController.class der Komponente ZIP File Handler. Durch Beeinflussen des Arguments Name mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
Classification
CVE ID: CVE-2025-4529
CVSS Base Severity: MEDIUM
CVSS Base Score: 4.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Problem Types
Path TraversalAffected Products
Vendor: Seeyon
Product: Zhiyuan OA Web Application System
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 12.5% (scored less or equal to compared to others)
EPSS Date: 2025-06-09 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4529https://vuldb.com/?id.308274
https://vuldb.com/?ctiid.308274
https://vuldb.com/?submit.565379
https://wx.mail.qq.com/s?k=h3jd6HR4UnUJxQZ0RG