| Title | Jeesite v5.15.1 XXE |
|---|
| Description | Jeesite has an is an XML External Entity (XXE) vulnerability (CWE-611).
The endpoint accepts a user-controlled POST parameter logoutRequest, which is parsed as XML without explicit XXE-hardening features (such as disabling DOCTYPE and external entities).
As a result, an attacker can supply malicious XML to trigger server-side outbound requests (SSRF behavior), and in some runtime configurations may attempt further entity-based abuse. |
|---|
| Source | ⚠️ https://www.yuque.com/la12138/pa2fpb/ew8x2qss8dv0bsu0?singleDoc |
|---|
| User | Saul1213 (UID 94577) |
|---|
| Submission | 02/20/2026 08:49 (2 months ago) |
|---|
| Moderation | 03/01/2026 07:55 (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 348299 [thinkgem JeeSite up to 5.15.1 Endpoint CasOutHandler.java xml external entity reference] |
|---|
| Points | 19 |
|---|