CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49442
https://notcve.org/view.php?id=CVE-2023-49442
Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request. La deserialización de datos que no son de confianza en jeecgFormDemoController en JEECG 4.0 y versiones anteriores permite a los atacantes ejecutar código arbitrario mediante una solicitud POST manipulada. • https://lemono.fun/thoughts/JEECG-RCE.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41544
https://notcve.org/view.php?id=CVE-2023-41544
SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to execute arbitrary code via crafted HTTP request to the /jmreport/loadTableData component. Vulnerabilidad de inyección SSTI en jeecg-boot versión 3.5.3, permite a atacantes remotos ejecutar código arbitrario a través de una solicitud HTTP manipulada al componente /jmreport/loadTableData. • https://pho3n1x-web.github.io/2023/09/18/CVE-2023-41544%28JeecgBoot_SSTI%29 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-41543
https://notcve.org/view.php?id=CVE-2023-41543
SQL injection vulnerability in jeecg-boot v3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the component /sys/replicate/check. Vulnerabilidad de inyección SQL en jeecg-boot v3.5.3, permite a atacantes remotos escalar privilegios y obtener información confidencial a través del componente /sys/replicate/check. • https://mp.weixin.qq.com/s/q6R-kaN4XS5d_cgWtq46vw https://pho3n1x-web.github.io/2023/09/18/CVE-2023-41543%28JeecgBoot_sql%29 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41542
https://notcve.org/view.php?id=CVE-2023-41542
SQL injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the jmreport/qurestSql component. Vulnerabilidad de inyección SQL en jeecg-boot versión 3.5.3, permite a atacantes remotos escalar privilegios y obtener información confidencial a través del componente jmreport/qurestSql. • https://pho3n1x-web.github.io/2023/09/15/CVE-2023-41542%28JeecgBoot_sql%29 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6307 – jeecgboot JimuReport image path traversal
https://notcve.org/view.php?id=CVE-2023-6307
A vulnerability classified as critical was found in jeecgboot JimuReport up to 1.6.1. Affected by this vulnerability is an unknown functionality of the file /download/image. The manipulation of the argument imageUrl leads to relative path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/N0b1e6/exp/blob/main/README.md https://vuldb.com/?ctiid.246133 https://vuldb.com/?id.246133 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •