| Title | GitHub JeecgBoot 3.9.2 Improper Neutralization of Alternate XSS Syntax |
|---|
| Description | Version: v3.9.2
Branch: master
Vulnerability Description: The project allows uploading .svg files. Although the `/sys/common/static/**` file access path adds `Content-Disposition: attachment` to force download, preventing the SVG from being rendered as an inline document by the browser, the upload directory is also configured as a static resource directory and is accessed externally via `/**`.
Therefore, an attacker who uploads an SVG containing inline scripts can bypass the forced download path of `/sys/common/static/**` and directly access the static resource URL mapped to the upload directory. When the browser renders the SVG as a top-level document, the scripts within the SVG can be executed, resulting in a stored XSS vulnerability.
Scope of Impact
Vulnerability Type: Stored XSS
Attacker Role: User with file upload privileges
Login Required: Login required for uploads; anonymous access is possible via the triggering access path
Affected Users: Users accessing malicious SVG direct URLs
Affected Interfaces
Upload Interface: sys/common/upload
Forced Download Access Path: /sys/common/static/{filePath}
Static Resource Direct Link Path that Can Trigger XSS: {filePath}
Affected Code
FILE_TYPE_WHITE_LIST.add("svg");
// Files in the upload directory can be accessed directly via static resource paths, bypassing the file download controller.
ResourceHandlerRegistration resourceHandlerRegistration = registry.addResourceHandler("/**");
resourceHandlerRegistration
.addResourceLocations("file:" + jeecgBaseConfig.getPath().getUpload() + "//")
.addResourceLocations("file:" + jeecgBaseConfig.getPath().getWebapp() + "//");
@GetMapping(value = "/static/**")
public void view(HttpServletRequest request, HttpServletResponse response) {
...
response.setContentType("application/force-download");
response.addHeader("Content-Disposition", "attachment;fileName=" + ...);
...
}
// SVG static resources are released anonymously
filterChainDefinitionMap.put("/**/*.svg", "anon");
Vulnerability recurrence
curl.exe -H "X-Access-Token: <token>" \
-F "[email protected];type=image/svg+xml" \
"http://127.0.0.1:8080/jeecg-boot/sys/common/upload?biz=xxx"
{
"success": true,
"message": "xxx/poc-svg-xss_1779178961881.svg"
} Accessing http://127.0.0.1:8080/jeecg-boot/xxx/poc-svg-xss_1779178961881.svg triggers JavaScript code. |
|---|
| Source | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9646 |
|---|
| User | 0Xrry (UID 86188) |
|---|
| Submission | 06/03/2026 12:53 (1 month ago) |
|---|
| Moderation | 07/04/2026 06:52 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 362347 [JeecgBoot up to 3.9.1 SVG File CommonController.java cross site scripting] |
|---|
| Points | 0 |
|---|