CVE-2019-1010202

Name of the Vulnerable Software and Affected Versions: Jeesite versions prior to 4.0

Description: The issue affects the convertToModel() function in the ActProcessService.java file, allowing for sensitive information disclosure through an XML External Entity (XXE) attack. This can be exploited by uploading a specially crafted XML file, requiring network connectivity and authentication.

Recommendations: For versions prior to 4.0, update to version 4.0 or later to resolve the issue. As a temporary workaround, consider disabling the convertToModel() function until a patch is available. Restrict access to the ActProcessService.java module to minimize the risk of exploitation. Avoid uploading XML files from untrusted sources to the affected API endpoint until the issue is resolved.