← Voltar para CVEs

CVE-2019-25714

N/A

Descricao

Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).

Detalhes CVE

Pontuacao CVSS v3.1N/A

Publicado4/21/2026

Ultima modificacao4/22/2026

Fontenvd

Avistamentos honeypot0

Fraquezas (CWE)

CWE-434

Referencias

https://sourceforge.net/software/product/A8/(disclosure@vulncheck.com)

https://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/90916/Security_Notification_reseller_en-US.pdf(disclosure@vulncheck.com)

https://web.archive.org/web/20190821034711/http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/(disclosure@vulncheck.com)

https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/%E8%87%B4%E8%BF%9Coa/%E8%87%B4%E8%BF%9C%20OA%20A8%20htmlofficeservlet%20getshell%20%E6%BC%8F%E6%B4%9E/(disclosure@vulncheck.com)

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=31713(disclosure@vulncheck.com)

https://www.fortiguard.com/encyclopedia/ips/48874/seeyon-office-anywhere-htmlofficeservlet-arbitrary-file-upload(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/seeyon-office-anywhere-oa-a8-unauthenticated-arbitrary-file-write-via-htmlofficeservlet(disclosure@vulncheck.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.