JeeSite
CVE-2025-7865
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been declared as problematic. This vulnerability affects the function xssFilter of the file src/main/java/com/jeesite/common/codec/EncodeUtils.java of the component XSS Filter. The manipulation of the argument text leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue.
AnalysisAI
Stored cross-site scripting (XSS) in JeeSite's xssFilter function allows authenticated users to inject malicious scripts via the text parameter in EncodeUtils.java, affecting versions up to 5.12.0. The vulnerability requires user interaction to trigger payload execution and has publicly available exploit code. With EPSS score of 0.07% and CVSS 2.0, exploitation likelihood is low despite public disclosure, but remediation is straightforward via vendor patch.
Technical ContextAI
The vulnerability exists in the XSS Filter component of JeeSite, specifically in the xssFilter function of src/main/java/com/jeesite/common/codec/EncodeUtils.java. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating the input validation or output encoding mechanism fails to properly sanitize or encode text parameter values before they are rendered in web pages. JeeSite is a Java-based web application framework; this encoding utility is responsible for preventing XSS but contains a bypass allowing attacker-controlled input to reach the DOM without proper neutralization.
RemediationAI
Apply the vendor-released patch identified by commit 3585737d21fe490ff6948d913fcbd8d99c41fc08 available at https://github.com/thinkgem/jeesite5/commit/3585737d21fe490ff6948d913fcbd8d99c41fc08. Update JeeSite to a version incorporating this fix (versions after 5.12.0). Verify the xssFilter function properly encodes or sanitizes the text parameter before rendering in HTML context. If immediate patching is not feasible, implement input validation to reject or encode special characters (e.g., <, >, ", ') in user-supplied text values passed to xssFilter, though this is a temporary measure and full patching is required for complete remediation.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today