erzhongxmu JEEWMS UEditor Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in erzhongxmu JEEWMS versions through 3.7. This issue arises in the UEditor component, specifically within the file 'src/main/webapp/plug-in/ueditor/jsp/getContent.jsp'. The vulnerability is triggered by manipulating the 'myEditor' argument, allowing remote attackers to execute scripts in the context of the user's browser session. The exploitation of this vulnerability is public knowledge and has been demonstrated.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user.

Reproduction

To reproduce this vulnerability, send a request to the 'getContent.jsp' file within the UEditor plugin directory. Include a crafted 'myEditor' argument that contains the script payload. The injected script will be executed in the user's browser, demonstrating the cross-site scripting vulnerability.