Black & White Path

Mar 5, 2026 · Information Security

How a Front‑End 0‑Day in a Major OA System Was Discovered and Exploited

The article walks through the discovery of an arbitrary ZIP‑file download vulnerability in a large OA front‑end, detailing how the attacker traced the vulnerable Spring MVC controller, built a PoC using a controllable cookie, achieved directory‑traversal reads, demonstrated a DOS extension, and finally suggested input‑filter mitigations.