VYPR

Vendor CVEs

Jfinal

All CVEs

23 total · sorted by risk
  • CVE-2021-31635CriJun 26, 2023
    risk 0.64cvss 9.8epss 0.01

    Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function.

  • CVE-2022-30500CriMay 26, 2022
    risk 0.64cvss 9.8epss 0.01

    Jfinal cms 5.1.0 is vulnerable to SQL Injection.

  • CVE-2020-19151HigSep 15, 2021
    risk 0.58cvss 8.8epss 0.05

    Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component 'jfinal_cms/admin/filemanager/list'.

  • CVE-2022-37208HigOct 13, 2022
    risk 0.57cvss 8.8epss 0.01

    JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

  • CVE-2022-37209HigSep 27, 2022
    risk 0.57cvss 8.8epss 0.01

    JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

  • CVE-2022-37201HigSep 15, 2022
    risk 0.57cvss 8.8epss 0.01

    JFinal CMS 5.1.0 is vulnerable to SQL Injection.

  • CVE-2022-37207HigSep 15, 2022
    risk 0.57cvss 8.8epss 0.01

    JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection

  • CVE-2022-34928HigAug 3, 2022
    risk 0.57cvss 8.8epss 0.01

    JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user.

  • CVE-2020-19150HigSep 15, 2021
    risk 0.53cvss 8.1epss 0.03

    Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'.

  • CVE-2021-40639HigSep 15, 2021
    risk 0.49cvss 7.5epss 0.01

    Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.

  • CVE-2020-19147MedSep 15, 2021
    risk 0.42cvss 6.5epss 0.02

    Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java'.

  • CVE-2023-24747MedApr 5, 2023
    risk 0.35cvss 5.4epss 0.00

    Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list.

  • CVE-2025-3214MedApr 4, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability has been found in JFinal CMS up to 5.2.4 and classified as problematic. Affected by this vulnerability is the function engine.getTemplate of the file /readTemplate. The manipulation of the argument template leads to path traversal. The attack can be launched…

  • CVE-2024-57772Jan 16, 2025
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-57768Jan 16, 2025
    risk 0.00cvss epss 0.00

    JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.

  • CVE-2024-57770Jan 16, 2025
    risk 0.00cvss epss 0.01

    JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.

  • CVE-2024-57774Jan 16, 2025
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-57776Jan 16, 2025
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-57771Jan 16, 2025
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-57773Jan 16, 2025
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-57775Jan 16, 2025
    risk 0.00cvss epss 0.01

    JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.

  • CVE-2024-57769Jan 16, 2025
    risk 0.00cvss epss 0.01

    JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser.

  • CVE-2024-53477Dec 2, 2024
    risk 0.00cvss epss 0.01

    JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java