JeeSite Stored Cross-Site Scripting Vulnerability in Message Content Parameter

A stored cross-site scripting vulnerability has been identified in JeeSite versions through 5.15.1. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting malicious content into the 'msgContent' parameter via the '/a/msg/msgInner/save' endpoint. When the message is viewed by a recipient, the injected script executes in their browser, potentially leading to session hijacking, privilege escalation, and unauthorized API actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the message, potentially leading to session hijacking and privilege escalation.

Reproduction

To reproduce this vulnerability, inject an XSS payload into the 'msgContent' parameter using the '/a/msg/msgInner/save' endpoint. Then, view the message through the '/a/msg/msgInner/view' endpoint, which will render the content using Vue's 'v-html' directive, triggering the execution of the injected script.

Remediation

Users are advised to update to JeeSite version 5.16.0 or later, where this vulnerability has been addressed.