إرسال #581704: JeeSite v5.11 Server-Side Request Forgery
| عنوان | JeeSite v5.11 Server-Side Request Forgery |
|---|---|
| الوصف | A Server-Side Request Forgery (SSRF) and Arbitrary File Read vulnerability exists in JeeSite version 5.11.1 (Spring Boot 3) due to improper input validation of the name parameter in the /cms/fileTemplate/form endpoint. This parameter is propagated through multiple layers and ultimately passed into the Spring ResourceLoader.getResource() method, which accepts multiple URI schemes such as file:, http:, classpath:, etc. An attacker can exploit this chain to read local files or make arbitrary requests from the server. |
| المصدر | ⚠️ https:/ |
| المستخدم | xiaoyang (UID 84496) |
| ارسال | 20/05/2025 06:50 PM (1 سنة منذ) |
| الاعتدال | 25/05/2025 07:33 PM (5 days later) |
| الحالة | تمت الموافقة |
| إدخال VulDB | 310274 [thinkgem JeeSite حتى 5.11.1 URI Scheme /cms/fileTemplate/form ResourceLoader.getResource الأسم تجاوز الصلاحيات] |
| النقاط | 20 |