CVE-2024-22492
Description
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JFinalcms 5.0.0 contains a stored XSS vulnerability in the /gusetbook/save endpoint via the contact parameter, allowing arbitrary script injection.
Vulnerability
Overview The vulnerability is a stored cross-site scripting (XSS) issue in JFinalcms 5.0.0. The contact parameter of the /gusetbook/save endpoint does not properly sanitize user input, allowing attackers to store malicious scripts that execute when the page is viewed. [1][2]
Exploitation
Details Exploitation requires an attacker to submit a crafted payload in the contact field when saving a guestbook entry. The payload is stored and later executed when an administrator accesses the /admin/guestbook page to view entries. No special privileges are needed for the initial submission. [2]
Impact
The impact is that an attacker can execute arbitrary JavaScript in the context of an administrator's session. This can lead to session hijacking, defacement, or theft of sensitive data such as cookies. The vulnerability is classified as stored XSS with a CVSS score not yet provided but considered moderate severity. [1]
Mitigation
Status As of the publication date, no patch has been released. Users should consider disabling the guestbook feature or implementing input validation and output encoding as a workaround. The vendor has been notified via the repository. [2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.jfinal:jfinalMaven | <= 5.0.0 | — |
Affected products
2- JFinalcms/JFinalcmsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-859h-4w58-78xwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-22492ghsaADVISORY
- github.com/cui2shark/security/blob/main/%28JFinalcms%20contact%20para%29A%20stored%20cross-site%20scripting%20%28XSS%29%20vulnerability%20was%20discovered%20in%20Jfinalcms%20contact%20para.mdghsaWEB
News mentions
0No linked articles in our index yet.