CVE-2025-15427

Unknown Unknown - Not Provided

SQL Injection in Seeyon Zhiyuan OA Web App Enables Remote Attack

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: VulDB

Description

A security flaw has been discovered in Seeyon Zhiyuan OA Web Application System up to 20251222. This impacts an unknown function of the file /carManager/carUseDetailList.j%73p. The manipulation of the argument CAR_BRAND_NO results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-01-02

Last Modified

2026-01-02

Generated

2026-06-16

AI Q&A

2026-01-02

EPSS Evaluated

2026-01-31

NVD

CVE-2025-15427

Affected Vendors & Products

Vendor	Product	Version / Range
seeyon	zhiyuan_oa_web_application_system	to 20251222 (inc)
seeyon	collaborative_platform	1.0
seeyou	collaborative_platform	1.0

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

CVE-2025-15427 is a critical SQL injection vulnerability in the Seeyon Zhiyuan OA Web Application System, specifically in the file /carManager/carUseDetailList.jsp. The vulnerability occurs because the application does not properly sanitize or validate the CAR_BRAND_NO parameter, allowing an attacker to inject malicious SQL code remotely without authentication. This can alter the intended SQL queries, leading to unauthorized database access and manipulation. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary SQL commands on your database remotely without authentication. This can lead to unauthorized access to sensitive data, data leakage, data tampering, full system control, and potential service disruption. The confidentiality, integrity, and availability of your system can be severely compromised, posing significant risks to system security and business continuity. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoint `/carManager/carUseDetailList.jsp` for SQL injection via the `CAR_BRAND_NO` parameter. Automated tools like sqlmap can be used to confirm the vulnerability. Example sqlmap command: `sqlmap -u "http://target/carManager/carUseDetailList.jsp" --data="CAR_BRAND_NO=11" --risk=3 --level=5`. Additionally, manual testing can be performed using payloads such as `CAR_BRAND_NO=11';WAITFOR DELAY '0:0:5'--` to check for time-based SQL injection or UNION-based payloads to extract data. [2]

Mitigation Strategies

Immediate mitigation steps include: 1) Implementing prepared statements and parameterized queries to separate SQL code from user input. 2) Applying strict input validation and filtering on the `CAR_BRAND_NO` parameter to ensure it conforms to expected formats. 3) Minimizing database user permissions to restrict access rights and reduce impact. 4) Conducting regular security audits to detect and remediate vulnerabilities promptly. Since no official patch or vendor response is available, consider replacing the affected component or disabling the vulnerable functionality if possible. [1, 2]

Compliance Impact

The vulnerability allows unauthorized remote attackers to perform SQL injection attacks, potentially leading to unauthorized access, data leakage, data tampering, and full system compromise. Such impacts on confidentiality, integrity, and availability of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. The lack of vendor response and absence of known mitigations further increase the risk of regulatory violations due to potential data breaches and failure to secure protected data. [1, 2]

Hi! I’m here to help you understand CVE-2025-15427. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-15427

SQL Injection in Seeyon Zhiyuan OA Web App Enables Remote Attack

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart