Seeyon Zhiyuan OA Web Application System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Seeyon Zhiyuan OA Web Application System, specifically in versions prior to 20251223. The issue arises in the file '/assetsGroupReport/fixedAssetsList.j%73p', where the 'unitCode' parameter can be manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely without authentication, allowing attackers to interfere with database operations and potentially access or modify sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of SQL queries, which could lead to unauthorized access to the database, leakage or alteration of sensitive data, and disruption of service.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/assetsGroupReport/fixedAssetsList.j%73p' with the 'unitCode' parameter. The injection of SQL payloads, such as those that exploit SQL Server or Sybase stacked query vulnerabilities, can demonstrate the SQL injection flaw.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.