Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the βFileManager.delete()β function in the component βmodules/filemanager/FileManagerController.javaβ.