thinkgem JeeSite Cross-Site Scripting Vulnerability in XSS Filter Component

A cross-site scripting (XSS) vulnerability has been identified in thinkgem JeeSite versions through 5.12.0. The issue arises in the XSS Filter component, specifically within the 'xssFilter' function of 'EncodeUtils.java'. This vulnerability allows for the injection of malicious scripts by manipulating the 'text' argument, which is not properly sanitized before being output to users. The flaw can be exploited remotely, and has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/js/a/sys/user/infoSaveBase' endpoint with a 'userName' field that includes XSS payloads, such as a script tag or an SVG image with an 'onload' event. Alternatively, the '/js/a/sys/office/save' endpoint can be used with similar payloads in the 'remarks' field.

Remediation

Users are advised to update to the patched version of thinkgem JeeSite. The patch is available in the commit identified by the hash '3585737d21fe490ff6948d913fcbd8d99c41fc08'.