Jeesite XXE漏洞分析(CWE-611):logoutRequest未过滤致SSRF

Jeesite XXE Vulnerability Report (CWE-611) 1. Description Jeesite has an XXE vulnerability. The user-controlled XML is parsed without proper XXE protections, allowing attacker-crafted entities to trigger server-side outbound requests (SSRF impact). 2. Vulnerability Path (Source -> Sink) 1. The route is mapped to the filter: , with default . - data/project-sources/jeesite5.15.1/modules/core/src/main/resources/config/jeesite-core.yml:573 - data/project-sources/jeesite5.15.1/modules/core/src/main/resources/config/jeesite-core.yml:180 2. The application context path is , so the actual endpoint is . - data/project-sources/jeesite5.15.1/web/src/main/resources/config/application.yml:28 3. enters the authentication flow ( ). - data/project-sources/jeesite5.15.1/m2-decompiled-src/jeesite-module-cas/5.1.5.1.springboot3-SNAPSHOT/jeesite-module-cas-5.15.1.springboot3-20260127.124313-1/com/jeesite/common/shiro/cas/CasBaseFilter.java:43 4. hits the SLO branch and calls . - data/project-sources/jeesite5.15.1/modules/core/src/main/java/com/jeesite/common/shiro/realm/CasAuthorizingRealm.java:60 - data/project-sources/jeesite5.15.1/modules/core/src/main/java/com/jeesite/common/shiro/realm/CasAuthorizingRealm.java:61 5. directly returns for POST . - data/project-sources/jeesite5.15.1/m2-decompiled-src/jeesite-module-cas/5.15.1.springboot3-SNAPSHOT/jeesite-module-cas-5.15.1.springboot3-20260127.124313-1/org/jasig/cas/client/util/CommonUtils.java:151 - data/project-sources/jeesite5.15.1/m2-decompiled-src/jeesite-module-cas/5.15.1.springboot3-SNAPSHOT/jeesite-module-cas-5.15.1.springboot3-20260127.124313-1/org/jasig/cas/client/util/CommonUtils.java:154 6. is passed into , which uses + with no XXE hardening features. - data/project-sources/jeesite5.15.1/m2-decompiled-src/jeesite-module-cas/5.15.1.springboot3-SNAPSHOT/jeesite/common/shiro/cas/CasOutHandler.java:89 - data/project-sources/jeesite5.15.1/m2-decompiled-src/jeesite-module-cas/5.15.1.springboot3-SNAPSHOT/jeesite-module-cas-5.15.1.springboot3-20260127.124313-1/org/jasig/cas/client/util/XmlUtils.java:27 - data/project-sources/jeesite5.15.1/m2-decompiled-src/jeesite-module-cas/5.15.1.springboot3-SNAPSHOT/jeesite-module-cas-5.15.1.springboot3-20260127.124313-1/org/jasig/cas/client/util/XmlUtils.java:106 3. Analysis of Key Vulnerability Code 3.1 User Input Reaches the Sink Directly This explicitly allows POST to flow directly into later processing, so user input is attacker-controlled. 3.2 Dangerous Parsing Point (user-controlled XML) is directly passed to XML parsing. No hardening like is present, so XXE risk exists. 4. Verification Code Run example: 4.3 Key Payload

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

Jeesite XXE漏洞分析(CWE-611):logoutRequest未过滤致SSRF

目标达成感谢每一位支持者 — 我们达成了 100% 目标！