SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to execute arbitrary code via crafted HTTP request to the /jmreport/loadTableData component.
The attacker sends a crafted HTTP request to the /jmreport/loadTableData endpoint, injecting malicious payload into the server-side template being processed. The template engine interprets the passed data as code and executes it in the server context. This mechanism corresponds to the CWE-94 classification (Improper Control of Generation of Code), where user input is improperly neutralized before being passed to the template interpreter.
An attacker can remotely execute arbitrary code on the server (RCE) without any authentication, potentially leading to complete system takeover, data theft, and compromise of service integrity and availability.
Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict network access to the /jmreport/loadTableData endpoint only to trusted sources if immediate patching is not possible.
Jeecg Boot version 3.5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJeecg Boot
APPJeecg≤ 3.5.3
Related vulnerabilities
Injection/RCE w Jeecg Boot 3.0.0–3.5.3 przez niedostateczne filtrowanie znaków
Command injection w Jeecg Boot — zdalne wykonanie kodu przez /jmreport/show
SQL Injection w JeecgBoot przez endpoint getTotalData
SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych
SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych