JeeSite
CVE-2025-7763
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in thinkgem JeeSite up to 5.12.0. Affected is the function select of the file src/main/java/com/jeesite/modules/cms/web/SiteController.java of the component Site Controller. The manipulation of the argument redirect leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue.
AnalysisAI
Open redirect vulnerability in JeeSite up to version 5.12.0 allows unauthenticated remote attackers to redirect users to arbitrary external websites via a crafted redirect parameter in the Site Controller select function. The vulnerability requires user interaction (clicking a malicious link) but carries low integrity impact through browser-based redirection. Publicly available exploit code exists, and a patch is available from the vendor; however, the EPSS score of 0.11% indicates low real-world exploitation probability despite public disclosure.
Technical ContextAI
The vulnerability exists in the Site Controller component (src/main/java/com/jeesite/modules/cms/web/SiteController.java), specifically in the select function which processes the redirect parameter without proper validation. This is a classic open redirect flaw (CWE-601) where user-supplied input is used directly in a redirect operation without sanitization or allowlisting. JeeSite is a Java-based enterprise application framework, and this flaw allows attackers to craft URLs that appear legitimate but redirect users to attacker-controlled sites. The vulnerability affects all versions of JeeSite up to and including 5.12.0.
RemediationAI
Apply the vendor-released patch identified by commit 3d06b8d009d0267f0255acc87ea19d29d07cedc3, available at https://github.com/thinkgem/jeesite5/commit/3d06b8d009d0267f0255acc87ea19d29d07cedc3. This patch adds proper validation to the redirect parameter in the select function. Upgrade to a version of JeeSite released after this commit (typically 5.12.1 or later, though exact version numbering should be verified with the vendor). If immediate patching is not possible, implement a temporary workaround by validating redirect parameters using an allowlist of permitted domains or internal URL patterns, and reject any redirect attempts to external hosts. However, this workaround requires code-level changes and should be considered a temporary measure only until patching is feasible.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today