Jfinal
by Jfinal
Source repositories
CVEs (23)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-3214 | Med | 0.28 | 4.3 | 0.00 | Apr 4, 2025 | A vulnerability has been found in JFinal CMS up to 5.2.4 and classified as problematic. Affected by this vulnerability is the function engine.getTemplate of the file /readTemplate. The manipulation of the argument template leads to path traversal. The attack can be launched… | ||
| CVE-2024-57771 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57774 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57772 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57776 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57775 | 0.00 | — | 0.01 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid. | |||
| CVE-2024-57768 | 0.00 | — | 0.00 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key. | |||
| CVE-2024-57770 | 0.00 | — | 0.01 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id. | |||
| CVE-2024-57769 | 0.00 | — | 0.01 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser. | |||
| CVE-2024-57773 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-53477 | 0.00 | — | 0.01 | Dec 2, 2024 | JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java | |||
| CVE-2021-31635 | 0.00 | — | 0.01 | Jun 26, 2023 | Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function. | |||
| CVE-2023-24747 | 0.00 | — | 0.00 | Apr 5, 2023 | Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list. | |||
| CVE-2022-37208 | 0.00 | — | 0.01 | Oct 13, 2022 | JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection. | |||
| CVE-2022-37209 | 0.00 | — | 0.01 | Sep 27, 2022 | JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection. | |||
| CVE-2022-37201 | 0.00 | — | 0.01 | Sep 15, 2022 | JFinal CMS 5.1.0 is vulnerable to SQL Injection. | |||
| CVE-2022-37207 | 0.00 | — | 0.01 | Sep 15, 2022 | JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection | |||
| CVE-2022-34928 | 0.00 | — | 0.01 | Aug 3, 2022 | JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user. | |||
| CVE-2022-30500 | 0.00 | — | 0.01 | May 26, 2022 | Jfinal cms 5.1.0 is vulnerable to SQL Injection. | |||
| CVE-2021-40639 | 0.00 | — | 0.01 | Sep 15, 2021 | Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js. |
- risk 0.28cvss 4.3epss 0.00
A vulnerability has been found in JFinal CMS up to 5.2.4 and classified as problematic. Affected by this vulnerability is the function engine.getTemplate of the file /readTemplate. The manipulation of the argument template leads to path traversal. The attack can be launched…
- CVE-2024-57771Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57774Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57772Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57776Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57775Jan 16, 2025risk 0.00cvss —epss 0.01
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.
- CVE-2024-57768Jan 16, 2025risk 0.00cvss —epss 0.00
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.
- CVE-2024-57770Jan 16, 2025risk 0.00cvss —epss 0.01
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.
- CVE-2024-57769Jan 16, 2025risk 0.00cvss —epss 0.01
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser.
- CVE-2024-57773Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-53477Dec 2, 2024risk 0.00cvss —epss 0.01
JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java
- CVE-2021-31635Jun 26, 2023risk 0.00cvss —epss 0.01
Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function.
- CVE-2023-24747Apr 5, 2023risk 0.00cvss —epss 0.00
Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list.
- CVE-2022-37208Oct 13, 2022risk 0.00cvss —epss 0.01
JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- CVE-2022-37209Sep 27, 2022risk 0.00cvss —epss 0.01
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- CVE-2022-37201Sep 15, 2022risk 0.00cvss —epss 0.01
JFinal CMS 5.1.0 is vulnerable to SQL Injection.
- CVE-2022-37207Sep 15, 2022risk 0.00cvss —epss 0.01
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection
- CVE-2022-34928Aug 3, 2022risk 0.00cvss —epss 0.01
JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user.
- CVE-2022-30500May 26, 2022risk 0.00cvss —epss 0.01
Jfinal cms 5.1.0 is vulnerable to SQL Injection.
- CVE-2021-40639Sep 15, 2021risk 0.00cvss —epss 0.01
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
Page 1 of 2