プラットフォーム
java
コンポーネント
jeewms
修正版
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
CVE-2026-3028 is a cross-site scripting (XSS) vulnerability discovered in JEEWMS versions 3.0 to 3.7. This flaw resides within the doAdd function of the JeecgListDemoController.java file, allowing attackers to inject malicious scripts through manipulation of the Name argument. The vulnerability is remotely exploitable and has been publicly disclosed, highlighting the urgency of remediation.
Successful exploitation of CVE-2026-3028 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the JEEWMS application. This can lead to a variety of malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. An attacker could potentially gain access to sensitive data stored within JEEWMS, such as user information, financial records, or other confidential data. The impact is amplified if JEEWMS is integrated with other systems, as the attacker could potentially use this vulnerability as a stepping stone to compromise other parts of the infrastructure.
CVE-2026-3028 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability's severity is rated as medium (CVSS 4.3). No specific exploit campaigns or actor attribution have been publicly reported at this time. The vulnerability was disclosed to the vendor, erzhongxmu, but they did not respond. Refer to the NVD entry published on 2026-02-23 for further details.
エクスプロイト状況
EPSS
0.03% (8% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3028 is to upgrade JEEWMS to a patched version. Unfortunately, a fixed version is not currently specified. As a temporary workaround, implement strict input validation and sanitization on the Name parameter within the doAdd function. This can be achieved by using a web application firewall (WAF) with XSS protection rules or by implementing custom filtering logic. Additionally, consider implementing Content Security Policy (CSP) to restrict the sources from which scripts can be executed, limiting the potential impact of a successful XSS attack. Regularly review and update JEEWMS configuration to ensure best practices are followed.
JEEWMS を 3.7 以降のバージョンにアップデートし、JeecgListDemoController.java ファイルの doAdd 関数におけるクロスサイトスクリプティング (XSS) 脆弱性を修正してください。具体的な修正については、リリースノートまたは変更ログを参照してください。修正されたバージョンが利用できない場合は、悪意のあるコードの注入を防ぐために、ユーザー入力の検証とサニタイズなどの軽減策を検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3028 is a cross-site scripting (XSS) vulnerability affecting JEEWMS versions 3.0 through 3.7. It allows attackers to inject malicious scripts through the Name parameter in the doAdd function, potentially leading to session hijacking and data theft.
If you are running JEEWMS versions 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, or 3.7, you are potentially affected by this vulnerability. Check your JEEWMS version and apply the recommended mitigations.
Upgrade to a patched version of JEEWMS. As a workaround, implement strict input validation and sanitization on the Name parameter and consider using a WAF with XSS protection.
While no active campaigns have been publicly reported, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Proactive mitigation is highly recommended.
As of the current disclosure, erzhongxmu has not released an official advisory. Refer to the National Vulnerability Database (NVD) entry for CVE-2026-3028 for more information: https://nvd.nist.gov/vuln/detail/CVE-2026-3028
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。