Jeewms

Cross-site scripting (XSS) in the doAdd function of Jeewms up to version 3.7 allows unauthenticated remote attackers to inject malicious scripts through the Name parameter. Public exploit code exists for this vulnerability, and the vendor has not released patches or responded to disclosure attempts. An attacker can exploit this via a user interaction to perform actions in the context of the affected application.

Reflected cross-site scripting in Jeewms up to version 3.7 exists in the UEditor component's getContent.jsp file through unsanitized input in the myEditor parameter, allowing remote attackers to inject malicious scripts. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification.

Jeewms 3.7 contains a server-side request forgery vulnerability in the UEditor plugin's getRemoteImage.jsp file, where the upfile parameter can be manipulated to make the server perform unintended network requests. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Remote attackers can exploit this without authentication to conduct SSRF attacks with low complexity.

JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. [CVSS 6.5 MEDIUM]

A Cross Site Scripting vulnerability in JeeWMS v.3.7 and before allows a remote attacker to obtain sensitive information via the logController.do component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Jeewms v3.7 was discovered to contain a SQL injection vulnerability via the CgReportController API. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

JeeWMS 771e4f5d0c01ffdeae1671be4cf102b73a3fe644 (2025-05-19) contains incorrect authentication bypass vulnerability, which can lead to arbitrary file reading. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability, which was classified as critical, was found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability, which was classified as critical, has been found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability classified as critical was found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability classified as critical has been found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability was found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability was found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A vulnerability was found in JeeWMS up to 20250504. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A zip slip vulnerability in the component \service\migrate\MigrateForm.java of JEEWMS v3.7 allows attackers to execute arbitrary code via a crafted Zip file. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

JeeWMS before v2025.01.01 was discovered to contain a SQL injection vulnerability via the ReportId parameter at /core/CGReportDao.java. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInterceptor.cava. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability, which was classified as critical, was found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability, which was classified as critical, has been found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

A vulnerability classified as critical was found in Guangzhou Huayi Intelligent Technology Jeewms up to 20241229. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.