CVE-2025-15427
Unknown Unknown - Not Provided
SQL Injection in Seeyon Zhiyuan OA Web App Enables Remote Attack

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: VulDB

Description
A security flaw has been discovered in Seeyon Zhiyuan OA Web Application System up to 20251222. This impacts an unknown function of the file /carManager/carUseDetailList.j%73p. The manipulation of the argument CAR_BRAND_NO results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-05-07
AI Q&A
2026-01-02
EPSS Evaluated
2026-01-31
NVD
CVE-2025-15427
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
seeyon zhiyuan_oa_web_application_system to 20251222 (inc)
seeyon collaborative_platform 1.0
seeyou collaborative_platform 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-15427 is a critical SQL injection vulnerability in the Seeyon Zhiyuan OA Web Application System, specifically in the file /carManager/carUseDetailList.jsp. The vulnerability occurs because the application does not properly sanitize or validate the CAR_BRAND_NO parameter, allowing an attacker to inject malicious SQL code remotely without authentication. This can alter the intended SQL queries, leading to unauthorized database access and manipulation. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute arbitrary SQL commands on your database remotely without authentication. This can lead to unauthorized access to sensitive data, data leakage, data tampering, full system control, and potential service disruption. The confidentiality, integrity, and availability of your system can be severely compromised, posing significant risks to system security and business continuity. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the vulnerable endpoint `/carManager/carUseDetailList.jsp` for SQL injection via the `CAR_BRAND_NO` parameter. Automated tools like sqlmap can be used to confirm the vulnerability. Example sqlmap command: `sqlmap -u "http://target/carManager/carUseDetailList.jsp" --data="CAR_BRAND_NO=11" --risk=3 --level=5`. Additionally, manual testing can be performed using payloads such as `CAR_BRAND_NO=11';WAITFOR DELAY '0:0:5'--` to check for time-based SQL injection or UNION-based payloads to extract data. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include: 1) Implementing prepared statements and parameterized queries to separate SQL code from user input. 2) Applying strict input validation and filtering on the `CAR_BRAND_NO` parameter to ensure it conforms to expected formats. 3) Minimizing database user permissions to restrict access rights and reduce impact. 4) Conducting regular security audits to detect and remediate vulnerabilities promptly. Since no official patch or vendor response is available, consider replacing the affected component or disabling the vulnerable functionality if possible. [1, 2]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthorized remote attackers to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, data tampering, and full system compromise. Such impacts on confidentiality, integrity, and availability of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. The lack of vendor response and absence of known mitigations further increase the risk of regulatory violations due to potential data breaches and failure to secure protected data. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart