Jeesite
Monthly
A vulnerability has been found in thinkgem JeeSite up to 5.15.1. The affected element is an unknown function of the component Connection Handler. [CVSS 3.1 LOW]
Stored cross-site scripting (XSS) in JeeSite's xssFilter function allows authenticated users to inject malicious scripts via the text parameter in EncodeUtils.java, affecting versions up to 5.12.0. The vulnerability requires user interaction to trigger payload execution and has publicly available exploit code. With EPSS score of 0.07% and CVSS 2.0, exploitation likelihood is low despite public disclosure, but remediation is straightforward via vendor patch.
Unrestricted file upload in JeeSite up to version 5.12.0 allows authenticated remote attackers to upload arbitrary files via the FileUploadController, potentially leading to remote code execution or data exfiltration. The vulnerability has a publicly disclosed proof-of-concept and is classified as critical despite a low CVSS 4.0 score of 2.1, indicating that the CVSS vector (requiring authenticated access and limited scope of impact) does not fully reflect the practical severity of unrestricted file upload capabilities in a web application context.
Open redirect in JeeSite's SSO controller allows remote attackers to redirect users to arbitrary external URLs by manipulating the redirect parameter, exploiting user trust to facilitate phishing or credential theft attacks. Affects JeeSite up to version 5.12.0. Publicly available exploit code exists and requires user interaction (clicking a malicious link), but no active exploitation in the wild has been confirmed. CVSS score is low (2.1) due to UI requirement and limited impact, though EPSS (0.11%) indicates minimal real-world exploitation probability.
Open redirect vulnerability in JeeSite up to version 5.12.0 allows unauthenticated remote attackers to redirect users to arbitrary external websites via a crafted redirect parameter in the Site Controller select function. The vulnerability requires user interaction (clicking a malicious link) but carries low integrity impact through browser-based redirection. Publicly available exploit code exists, and a patch is available from the vendor; however, the EPSS score of 0.11% indicates low real-world exploitation probability despite public disclosure.
Server-side request forgery (SSRF) in thinkgem JeeSite up to version 5.12.0 allows authenticated remote attackers to manipulate the Source argument in the UEditor Image Grabber component (ActionEnter.java), enabling arbitrary HTTP requests from the vulnerable server with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and a patch has been released by the vendor.
A vulnerability was found in thinkgem JeeSite up to 5.11.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been found in thinkgem JeeSite up to 5.15.1. The affected element is an unknown function of the component Connection Handler. [CVSS 3.1 LOW]
Stored cross-site scripting (XSS) in JeeSite's xssFilter function allows authenticated users to inject malicious scripts via the text parameter in EncodeUtils.java, affecting versions up to 5.12.0. The vulnerability requires user interaction to trigger payload execution and has publicly available exploit code. With EPSS score of 0.07% and CVSS 2.0, exploitation likelihood is low despite public disclosure, but remediation is straightforward via vendor patch.
Unrestricted file upload in JeeSite up to version 5.12.0 allows authenticated remote attackers to upload arbitrary files via the FileUploadController, potentially leading to remote code execution or data exfiltration. The vulnerability has a publicly disclosed proof-of-concept and is classified as critical despite a low CVSS 4.0 score of 2.1, indicating that the CVSS vector (requiring authenticated access and limited scope of impact) does not fully reflect the practical severity of unrestricted file upload capabilities in a web application context.
Open redirect in JeeSite's SSO controller allows remote attackers to redirect users to arbitrary external URLs by manipulating the redirect parameter, exploiting user trust to facilitate phishing or credential theft attacks. Affects JeeSite up to version 5.12.0. Publicly available exploit code exists and requires user interaction (clicking a malicious link), but no active exploitation in the wild has been confirmed. CVSS score is low (2.1) due to UI requirement and limited impact, though EPSS (0.11%) indicates minimal real-world exploitation probability.
Open redirect vulnerability in JeeSite up to version 5.12.0 allows unauthenticated remote attackers to redirect users to arbitrary external websites via a crafted redirect parameter in the Site Controller select function. The vulnerability requires user interaction (clicking a malicious link) but carries low integrity impact through browser-based redirection. Publicly available exploit code exists, and a patch is available from the vendor; however, the EPSS score of 0.11% indicates low real-world exploitation probability despite public disclosure.
Server-side request forgery (SSRF) in thinkgem JeeSite up to version 5.12.0 allows authenticated remote attackers to manipulate the Source argument in the UEditor Image Grabber component (ActionEnter.java), enabling arbitrary HTTP requests from the vulnerable server with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, and a patch has been released by the vendor.
A vulnerability was found in thinkgem JeeSite up to 5.11.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.