Vendor CVEs
Jfinal
All CVEs
23 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-31635 | Cri | 0.64 | 9.8 | 0.01 | Jun 26, 2023 | Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function. | ||
| CVE-2022-30500 | Cri | 0.64 | 9.8 | 0.01 | May 26, 2022 | Jfinal cms 5.1.0 is vulnerable to SQL Injection. | ||
| CVE-2020-19151 | Hig | 0.58 | 8.8 | 0.05 | Sep 15, 2021 | Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component 'jfinal_cms/admin/filemanager/list'. | ||
| CVE-2022-37208 | Hig | 0.57 | 8.8 | 0.01 | Oct 13, 2022 | JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection. | ||
| CVE-2022-37209 | Hig | 0.57 | 8.8 | 0.01 | Sep 27, 2022 | JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection. | ||
| CVE-2022-37201 | Hig | 0.57 | 8.8 | 0.01 | Sep 15, 2022 | JFinal CMS 5.1.0 is vulnerable to SQL Injection. | ||
| CVE-2022-37207 | Hig | 0.57 | 8.8 | 0.01 | Sep 15, 2022 | JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection | ||
| CVE-2022-34928 | Hig | 0.57 | 8.8 | 0.01 | Aug 3, 2022 | JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user. | ||
| CVE-2020-19150 | Hig | 0.53 | 8.1 | 0.03 | Sep 15, 2021 | Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'. | ||
| CVE-2021-40639 | Hig | 0.49 | 7.5 | 0.01 | Sep 15, 2021 | Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js. | ||
| CVE-2020-19147 | Med | 0.42 | 6.5 | 0.02 | Sep 15, 2021 | Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java'. | ||
| CVE-2023-24747 | Med | 0.35 | 5.4 | 0.00 | Apr 5, 2023 | Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list. | ||
| CVE-2025-3214 | Med | 0.28 | 4.3 | 0.00 | Apr 4, 2025 | A vulnerability has been found in JFinal CMS up to 5.2.4 and classified as problematic. Affected by this vulnerability is the function engine.getTemplate of the file /readTemplate. The manipulation of the argument template leads to path traversal. The attack can be launched… | ||
| CVE-2024-57772 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57768 | 0.00 | — | 0.00 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key. | |||
| CVE-2024-57770 | 0.00 | — | 0.01 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id. | |||
| CVE-2024-57774 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57776 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57771 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57773 | 0.00 | — | 0.00 | Jan 16, 2025 | A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-57775 | 0.00 | — | 0.01 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid. | |||
| CVE-2024-57769 | 0.00 | — | 0.01 | Jan 16, 2025 | JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser. | |||
| CVE-2024-53477 | 0.00 | — | 0.01 | Dec 2, 2024 | JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java |
- risk 0.64cvss 9.8epss 0.01
Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function.
- risk 0.64cvss 9.8epss 0.01
Jfinal cms 5.1.0 is vulnerable to SQL Injection.
- risk 0.58cvss 8.8epss 0.05
Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component 'jfinal_cms/admin/filemanager/list'.
- risk 0.57cvss 8.8epss 0.01
JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- risk 0.57cvss 8.8epss 0.01
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.
- risk 0.57cvss 8.8epss 0.01
JFinal CMS 5.1.0 is vulnerable to SQL Injection.
- risk 0.57cvss 8.8epss 0.01
JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection
- risk 0.57cvss 8.8epss 0.01
JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user.
- risk 0.53cvss 8.1epss 0.03
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the 'FileManager.delete()' function in the component 'modules/filemanager/FileManagerController.java'.
- risk 0.49cvss 7.5epss 0.01
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.
- risk 0.42cvss 6.5epss 0.02
Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the 'getFolder()' function in the component '/modules/filemanager/FileManager.java'.
- risk 0.35cvss 5.4epss 0.00
Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list.
- risk 0.28cvss 4.3epss 0.00
A vulnerability has been found in JFinal CMS up to 5.2.4 and classified as problematic. Affected by this vulnerability is the function engine.getTemplate of the file /readTemplate. The manipulation of the argument template leads to path traversal. The attack can be launched…
- CVE-2024-57772Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57768Jan 16, 2025risk 0.00cvss —epss 0.00
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.
- CVE-2024-57770Jan 16, 2025risk 0.00cvss —epss 0.01
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.
- CVE-2024-57774Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57776Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57771Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57773Jan 16, 2025risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-57775Jan 16, 2025risk 0.00cvss —epss 0.01
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.
- CVE-2024-57769Jan 16, 2025risk 0.00cvss —epss 0.01
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser.
- CVE-2024-53477Dec 2, 2024risk 0.00cvss —epss 0.01
JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java