提出 #581704: JeeSite v5.11 Server-Side Request Forgery情報

タイトルJeeSite v5.11 Server-Side Request Forgery
説明A Server-Side Request Forgery (SSRF) and Arbitrary File Read vulnerability exists in JeeSite version 5.11.1 (Spring Boot 3) due to improper input validation of the name parameter in the /cms/fileTemplate/form endpoint. This parameter is propagated through multiple layers and ultimately passed into the Spring ResourceLoader.getResource() method, which accepts multiple URI schemes such as file:, http:, classpath:, etc. An attacker can exploit this chain to read local files or make arbitrary requests from the server.
ソース⚠️ https://github.com/xiaoyangsec/JeeSite_SSRF/blob/main/jeesite5-ssrf-file-read.md
ユーザー
 xiaoyang (UID 84496)
送信2025年05月20日 18:50 (1 年 ago)
モデレーション2025年05月25日 19:33 (5 days later)
ステータス承諾済み
VulDBエントリ310274 [thinkgem JeeSite 迄 5.11.1 URI Scheme /cms/fileTemplate/form ResourceLoader.getResource 名前 特権昇格]
ポイント20

概要

Do you need the next level of professionalism?

Upgrade your account now!