Submit #846819: GitHub JeecgBoot 3.9.2 Improper Neutralization of Alternate XSS Syntaxinfo

TitleGitHub JeecgBoot 3.9.2 Improper Neutralization of Alternate XSS Syntax
DescriptionVersion: v3.9.2 Branch: master Vulnerability Description: The project allows uploading .svg files. Although the `/sys/common/static/**` file access path adds `Content-Disposition: attachment` to force download, preventing the SVG from being rendered as an inline document by the browser, the upload directory is also configured as a static resource directory and is accessed externally via `/**`. Therefore, an attacker who uploads an SVG containing inline scripts can bypass the forced download path of `/sys/common/static/**` and directly access the static resource URL mapped to the upload directory. When the browser renders the SVG as a top-level document, the scripts within the SVG can be executed, resulting in a stored XSS vulnerability. Scope of Impact Vulnerability Type: Stored XSS Attacker Role: User with file upload privileges Login Required: Login required for uploads; anonymous access is possible via the triggering access path Affected Users: Users accessing malicious SVG direct URLs Affected Interfaces Upload Interface: sys/common/upload Forced Download Access Path: /sys/common/static/{filePath} Static Resource Direct Link Path that Can Trigger XSS: {filePath} Affected Code FILE_TYPE_WHITE_LIST.add("svg"); // Files in the upload directory can be accessed directly via static resource paths, bypassing the file download controller. ResourceHandlerRegistration resourceHandlerRegistration = registry.addResourceHandler("/**"); resourceHandlerRegistration .addResourceLocations("file:" + jeecgBaseConfig.getPath().getUpload() + "//") .addResourceLocations("file:" + jeecgBaseConfig.getPath().getWebapp() + "//"); @GetMapping(value = "/static/**") public void view(HttpServletRequest request, HttpServletResponse response) { ... response.setContentType("application/force-download"); response.addHeader("Content-Disposition", "attachment;fileName=" + ...); ... } // SVG static resources are released anonymously filterChainDefinitionMap.put("/**/*.svg", "anon"); Vulnerability recurrence curl.exe -H "X-Access-Token: <token>" \ -F "[email protected];type=image/svg+xml" \ "http://127.0.0.1:8080/jeecg-boot/sys/common/upload?biz=xxx" { "success": true, "message": "xxx/poc-svg-xss_1779178961881.svg" } Accessing http://127.0.0.1:8080/jeecg-boot/xxx/poc-svg-xss_1779178961881.svg triggers JavaScript code.
Source⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9646
User
 0Xrry (UID 86188)
Submission06/03/2026 12:53 (1 month ago)
Moderation07/04/2026 06:52 (1 month later)
StatusDuplicate
VulDB entry362347 [JeecgBoot up to 3.9.1 SVG File CommonController.java cross site scripting]
Points0

Might our Artificial Intelligence support you?

Check our Alexa App!