Vulnerability-Lookup

CNVD-2026-06137

Vulnerability from cnvd - Published: 2026-01-22

Title

JeecgBoot queryPageList函数授权问题漏洞

Description

JeecgBoot是一款融合代码生成与AI应用的低代码开发平台，助力企业快速实现低代码开发和构建AI应用。 JeecgBoot存在授权问题漏洞，该漏洞源于文件/sys/sysDepartRole/list的queryPageList函数中参数deptId存在不当的授权，攻击者可利用该漏洞导致信息泄露。

Severity

低

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://jeecg.com/

Reference

https://github.com/Hwwg/cve/issues/32

Impacted products

Name
JeecgBoot JeecgBoot <=3.9.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-15119",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-15119"
    }
  },
  "description": "JeecgBoot\u662f\u4e00\u6b3e\u878d\u5408\u4ee3\u7801\u751f\u6210\u4e0eAI\u5e94\u7528\u7684\u4f4e\u4ee3\u7801\u5f00\u53d1\u5e73\u53f0\uff0c\u52a9\u529b\u4f01\u4e1a\u5feb\u901f\u5b9e\u73b0\u4f4e\u4ee3\u7801\u5f00\u53d1\u548c\u6784\u5efaAI\u5e94\u7528\u3002\n\nJeecgBoot\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6587\u4ef6/sys/sysDepartRole/list\u7684queryPageList\u51fd\u6570\u4e2d\u53c2\u6570deptId\u5b58\u5728\u4e0d\u5f53\u7684\u6388\u6743\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://jeecg.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-06137",
  "openTime": "2026-01-22",
  "products": {
    "product": "JeecgBoot JeecgBoot \u003c=3.9.0"
  },
  "referenceLink": "https://github.com/Hwwg/cve/issues/32",
  "serverity": "\u4f4e",
  "submitTime": "2026-01-09",
  "title": "JeecgBoot queryPageList\u51fd\u6570\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2025-15119 (GCVE-0-2025-15119)

Vulnerability from cvelistv5 – Published: 2025-12-28 03:32 – Updated: 2025-12-29 19:04

Title

JeecgBoot list queryPageList improper authorization

Summary

A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Severity ?

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R

3.1 (Low)


                        
                          CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R

CWE

CWE-285 - Improper Authorization
CWE-266 - Incorrect Privilege Assignment

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.338497	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.338497	signaturepermissions-required
	https://vuldb.com/?submit.711771	third-party-advisory
	https://github.com/Hwwg/cve/issues/32	exploitissue-tracking

Impacted products

	Vendor	Product	Version
	n/a	JeecgBoot	Affected: 3.0 Affected: 3.1 Affected: 3.2 Affected: 3.3 Affected: 3.4 Affected: 3.5 Affected: 3.6 Affected: 3.7 Affected: 3.8 Affected: 3.9.0

Credits

huangweigang (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15119",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-29T19:04:50.257660Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-29T19:04:57.949Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "JeecgBoot",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "status": "affected",
              "version": "3.9.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "huangweigang (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was detected in JeecgBoot up to 3.9.0. This issue affects the function queryPageList of the file /sys/sysDepartRole/list. The manipulation of the argument deptId results in improper authorization. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.1,
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-28T03:32:06.719Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-338497 | JeecgBoot list queryPageList improper authorization",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.338497"
        },
        {
          "name": "VDB-338497 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.338497"
        },
        {
          "name": "Submit #711771 | JeecgBoot 3.9.0 Improper Control of Resource Identifiers",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.711771"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/Hwwg/cve/issues/32"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-27T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-12-27T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-12-27T10:06:16.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "JeecgBoot list queryPageList improper authorization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-15119",
    "datePublished": "2025-12-28T03:32:06.719Z",
    "dateReserved": "2025-12-27T09:00:45.393Z",
    "dateUpdated": "2025-12-29T19:04:57.949Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-06137

CVE-2025-15119 (GCVE-0-2025-15119)

Tags

Sightings

Nomenclature