jeesite v1.2.7 download link:https://github.com/thinkgem/jeesite
com.thinkgem.jeesite.modules.cms.web.front.FrontSearchController.java line 99.
After searching the incoming parameters bd and ed on line 82, the page result object is passed into the template file frontSearch on line 99.
In frontSearch.jsp, the parameter values are directly obtained through param.bd and param.ed(param is page), and the user parameter input is not filtered, resulting in the occurrence of XSS vulnerabilities.
No login required, access to specified URL link triggers XSS vulnerability
We directly closed the bd and ed parameters in the input with double quotes, and successfully executed our custom javascript code
http://127.0.0.1:8081/jeesite/f/search?pageNo=1&t=article&cid=&a=1&q=aa&qand=11&qnot=111&pageSize=30&bd=2020-06-01"><img src=x onerror=alert(1)><"&ed=2020-06-17"><img src=x onerror=alert(2)><"
