jeewx-boot
jeewx-boot copied to clipboard
jeecgboot
JAVA版免费开源的微信管家平台。支持微信公众号、小程序、第三方平台等。平台已经实现了公众号基础管理、群发、系统权限、抽奖活动、小程序官网等功能,便于二次开发,可以快速搭建微信应用!
Bumps poi from 3.9 to 4.1.1. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Bumps [mysql-connector-java](https://github.com/mysql/mysql-connector-j) from 5.1.47 to 8.0.28. Changelog Sourced from mysql-connector-java's changelog. Changelog https://dev.mysql.com/doc/relnotes/connector-j/8.0/en/ Version 8.0.29 Fix for Bug#21978230, COMMENT PARSING NOT PROPER IN PREPSTMT.EXECUTEBATCH(). Fix for Bug#81468 (23312764), MySQL server...
Bumps [fastjson](https://github.com/alibaba/fastjson) from 1.2.56 to 1.2.83. Release notes Sourced from fastjson's releases. FASTJSON 1.2.83版本发布(安全修复) 这是一个安全修复版本,修复最近收到在特定场景下可以绕过autoType关闭限制的漏洞,建议fastjson用户尽快采取安全措施保障系统安全。 安全修复方案 :https://github.com/alibaba/fastjson/wiki/security_update_20220523 Issues 安全加固 修复JDK17下setAccessible报错的问题 #4077 下载 https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.83/ 文档 https://github.com/alibaba/fastjson/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98 源码 https://github.com/alibaba/fastjson/tree/1.2.83 fastjson 1.2.79版本发布,BUG修复 这又是一个bug...
##### 版本号:1.3 ##### 问题描述: 1、AccseeToken获取问题:我是昨天和今天上午尝试修改菜单,但是一直提示未获取到AccseeToken,今天中午我没有关闭自己的服务器,下午再看就获取到了AccseeToken也能修改菜单,我也没有修改任何代码,是获取有延迟还是我设置的问题呢? 2、IP白名单问题:我自己创建了一个订阅号,我设置了自己电脑的IP为白名单但是在公众号授权中一直提示接口使用IP未在白名单中,想问一下IP必须是固定IP是吗,我自己的笔记本电脑IP是不可以的么,还有公众号测试号好像是不用设置IP白名单的是么。 如果您能解答我得疑惑会非常感谢! ##### 问题截图:
##### 版本号:1.3 ##### 问题描述: 1、AccseeToken获取问题:我是昨天和今天上午尝试修改菜单,但是一直提示未获取到AccseeToken,今天中午我没有关闭自己的服务器,下午再看就获取到了AccseeToken也能修改菜单,我也没有修改任何代码,是获取有延迟还是我设置的问题呢? 2、IP白名单问题:我自己创建了一个订阅号,我设置了自己电脑的IP为白名单但是在公众号授权中一直提示接口使用IP未在白名单中,想问一下IP必须是固定IP是吗,我自己的笔记本电脑IP是不可以的么,还有公众号测试号好像是不用设置IP白名单的是么。 如果您能解答我得疑惑会非常感谢! ##### 问题截图:
Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.7 to 1.4.19. Commits See full diff in compare view [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter...
##### 版本号:1.0.3 ##### 问题描述:jdk9 编译报错,替换了编译的class,启动报错 ##### 问题截图:  Caused by: java.lang.NoClassDefFoundError: sun/misc/BASE64Decoder at org.apache.util.QEncodeUtil.base64Decode(QEncodeUtil.java:69) at org.apache.util.QEncodeUtil.aesDecrypt(QEncodeUtil.java:161) at org.jeecgframework.p3.core.aop.icorep3.check(icorep3.java:54) at org.apache.commons.lang.StringUtil.lastIndexOf(StringUtil.java:1191) at org.apache.commons.lang.StringUtil.(StringUtil.java:1383) at org.apache.util.QEncodeUtil.aesDecrypt(QEncodeUtil.java:161) at org.jeecgframework.p3.core.aop.icorep3.check(icorep3.java:54) at org.apache.commons.lang.CommonRandomUtil.isNotEmpt(CommonRandomUtil.java:3952) at org.apache.commons.lang.CommonRandomUtil.(CommonRandomUtil.java:119)...
The problem exists in the "WxActGoldeneggsPrizesController.java",You can see that there is no filtering in the code:  The code use FileInputStream to load the file directly.  `/../../../../../../../../../Windows/win.ini` Successfully read...
## Information ``` Exploit Title:Jeewx-Boot-v1.3-Cross-site request forgery(CSRF) Exploit date:01.06.2021 Exploit Author:Al1ex@Heptagram Vendor Homepage:https://github.com/zhangdaiscott/jeewx-boot Affect Version:Jeewx-Boot-v1.3 Description:There is CSRF vulnerability in jeewx-boot-v1.3. Attackers can construct a malicious page and cheat administrator...
## Information ``` Exploit Title:Jeewx-Boot-v1.3-Storage XSS Exploit date:01.06.2021 Exploit Author:Al1ex@Heptagram Vendor Homepage:https://github.com/zhangdaiscott/jeewx-boot Affect Version:Jeewx-Boot-v1.3 Description:The background voting function module of jeewx-boot-v1.3 allows users to import data through templates, but does...