CVE-2026-3404
XML External Entity Injection in thinkgem JeeSite Endpoint Component
Publication date: 2026-03-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeesite | jeesite | to 5.15.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3404 is an XML External Entity (XXE) vulnerability found in thinkgem JeeSite up to version 5.15.1. It exists in an endpoint that processes a user-controlled POST parameter named 'logoutRequest', which is parsed as XML without proper mitigation against XXE attacks."}, {'type': 'paragraph', 'content': 'This improper XML parsing allows an attacker to supply malicious XML input that can trigger server-side outbound requests, effectively enabling Server-Side Request Forgery (SSRF) behavior. The vulnerable code is located in the CasOutHandler.java file, which handles XML external entity references.'}, {'type': 'paragraph', 'content': 'The vulnerability can be exploited remotely, but the attack is considered highly complex and difficult to perform.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact the confidentiality, integrity, and availability of the affected system. By exploiting the XXE flaw, an attacker can cause the server to make unauthorized outbound requests (SSRF), potentially accessing internal resources or sensitive data.
Depending on the runtime environment and configuration, further entity-based attacks may be possible, increasing the risk of data exposure or system disruption.
Since the vulnerability is remotely exploitable and a proof-of-concept exploit is publicly available, attackers may leverage it to compromise the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves XML External Entity (XXE) processing in the `logoutRequest` POST parameter of the vulnerable endpoint. Detection can focus on monitoring for suspicious XML payloads containing DOCTYPE declarations or external entity references sent to the affected endpoint.'}, {'type': 'paragraph', 'content': 'Network detection could involve capturing and inspecting HTTP POST requests to the endpoint that processes `logoutRequest` parameters, looking for XML content with DOCTYPE or ENTITY declarations.'}, {'type': 'list_item', 'content': 'Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for POST requests containing XML payloads.'}, {'type': 'list_item', 'content': "Example tcpdump command to capture HTTP POST traffic on port 80 or 443: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'`"}, {'type': 'list_item', 'content': "Use grep or similar tools to search captured traffic for XML DOCTYPE declarations: `grep -i '<!DOCTYPE' captured_traffic.txt`"}, {'type': 'list_item', 'content': 'On the server, review logs for POST requests containing suspicious XML payloads with external entity references.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is in the `CasOutHandler.java` handling the `logoutRequest` parameter, focusing detection on requests to endpoints that accept this parameter is advised.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, no patches or vendor-provided mitigations are available for this vulnerability as the vendor did not respond to the disclosure.
Immediate mitigation steps include:
- Disable XML external entity processing in the affected component if possible, by configuring the XML parser to disallow DOCTYPE declarations and external entity resolution.
- Restrict or block incoming requests to the vulnerable endpoint that process the `logoutRequest` parameter, especially those containing XML payloads.
- Implement network-level controls such as Web Application Firewalls (WAFs) to detect and block malicious XML payloads attempting XXE exploitation.
- Consider replacing the affected component (thinkgem JeeSite up to version 5.15.1) with an alternative product that does not contain this vulnerability.
Monitoring for exploitation attempts and applying strict input validation on XML inputs are also recommended as interim protective measures.