39 matches found
CVE-2024-22497
CVE-2024-22497 : A cross-site scripting (XSS) vulnerability affects JFinalcms 5.0.0, arising from handling of the password parameter in the /admin/login route. Exploitation via crafted URLs may allow an attacker to run arbitrary code. Multiple feeds (NVD, Red Hat, Veracode, OSV, GHSA, CNNVD, CVE ...
CVE-2024-22496
CVE-2024-22496 is an XSS vulnerability affecting JFinalcms 5.0.0. The issue stems from improper handling of the /admin/login username parameter, enabling injection of arbitrary JavaScript code. Connected sources corroborate the vulnerability as Cross-site Scripting in JFinalcms with the same vect...
CVE-2023-41599
CVE-2023-41599 : JFinalCMS v5.0.0 contains a directory traversal vulnerability in /common/DownController.java. Unauthenticated attackers can read arbitrary files from the server via path traversal in the filekey parameter, potentially exposing credentials and sensitive CMS content. The connected ...
CVE-2022-27341
CVE-2022-27341 affects JFinalCMS v2.0 and is a SQL injection vulnerability exploitable via the Article Management function. The base CVSS v2 score is 7.5 (HIGH) with Network attack vector, low attack complexity, no authentication, and partial impact to confidentiality, integrity, and availability...
CVE-2023-51254
Jfinalcms 5.0.0 is affected by a Cross Site Scripting (XSS) flaw in the friendship link component. The weakness stems from inadequate input validation, allowing a remote attacker to inject script and potentially execute arbitrary code. Documented by multiple sources (Veracode, CNNVD, OSV, Red Hat...
CVE-2023-49372
JFinalCMS v5.0.0 is affected by a Cross-Site Request Forgery (CSRF) vulnerability exploitable via the /admin/slide/save endpoint. Root cause is a CSRF weakness in that API path, as reported across multiple sources. CVSSv3.1 vector indicates high baseline impact (C/H, I/H, A/H) with no privileges ...
CVE-2023-49380
CVE-2023-49380: JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/friend_link/delete endpoint. The issue is documented across multiple sources (NVD, GHSA, OSV, CVE list) with CVSSv3.1 base score 8.8 (HIGH), attack vector NETWORK, user interaction REQUIRED, ...
CVE-2024-24375
CVE-2024-24375 describes a SQL injection in Jfinalcms v5.0.0 that allows a remote attacker to obtain sensitive information through the /admin/admin name parameter. Multiple vendors and feeds (NVD, Red Hat, OSV, CNNVD, CVE list) corroborate a vulnerability centered on the /admin/admin name endpoin...
CVE-2023-49383
CVE-2023-49383 : JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/tag/save endpoint. The issue is documented across multiple feeds (Red Hat, GHSA, OSV, NVD/CVE lists) and is characterized by a high-severity impact (CVSS v3.1: 8.8; Privileges Required: None...
CVE-2023-49376
CVE-2023-49376 corresponds to a CSRF vulnerability affecting JFinalCMS v5.0.0, exploitable via the /admin/tag/delete endpoint. The NVD entry notes a high-severity vector (CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base score 8.8). Connected advisories also confirm the issue originates from CS...
CVE-2024-40322
The CVE-2024-40322 entry describes a SQL injection in JFinalCMS v5.0.0 exposed at the /admin/div_data/data API. Veracode notes improper input validation in DivDataController#data, enabling arbitrary SQL via manipulation of the tableName field in a custom div object. Red Hat/OSV and CVE databases ...
CVE-2024-24029
CVE-2024-24029 affects JFinalCMS 5.0.0 and is described as a SQL injection via /admin/content/data. The CVSS vector indicates NETWORK exploitation, no authentication, no user interaction, with a high impact on confidentiality, integrity, and availability (base score 9.8). The provided documents d...
CVE-2023-49398
JFinalCMS 5.0.0 contains a CSRF vulnerability exploitable via the /admin/category/delete endpoint. The CVE-2023-49398 entry notes CSRF with high impact (confidentiality/ integrity/ availability affected) and no exploitation details are provided in the connected documents. The linked PT-2023-31204...
CVE-2023-49382
Summary of findings for CVE-2023-49382 Affected software: JFinalCMS, version 5.0.0. Vulnerability: Cross-Site Request Forgery (CSRF) exposed via the /admin/div/delete API endpoint. Impact: CVSSv3.1 base score 8.8 (High). Impacts to confidentiality, integrity, and availability are all rated High i...
CVE-2023-49381
CVE-2023-49381 affects JFinalCMS 5.0.0. The vulnerability is a Cross-Site Request Forgery (CSRF) in the /admin/div/update endpoint, allowing unintended actions within the application. The available connected document PT-2023-31196 specifies the affected software/version and confirms the CSRF natu...
CVE-2023-49485
CVE-2023-49485 concerns JFinalCMS v5.0.0, with a cross-site scripting (XSS) vulnerability in the column management department. The original description and connected documents consistently identify the affected software as JFinalCMS v5.0.0 and attribute the issue to inadequate filtering/escaping ...
CVE-2024-22493
CVE-2024-22493 is a stored XSS vulnerability in JFinalcms 5.0.0 exploitable via the /gusetbook/save endpoint, specifically through the content parameter. Multiple connected sources confirm the same flaw and context, indicating that remote attackers can inject arbitrary script or HTML. The impact ...
CVE-2023-49374
Concretely, CVE-2023-49374 affects JFinalCMS v5.0.0 with a Cross-Site Request Forgery (CSRF) vulnerability exploitable via /admin/slide/update. The NVD entry reports a CVSS v3.1 base score of 8.8 (High) with Network attack vector, no privileges required, user interaction required, and impacts to ...
CVE-2023-50137
CVE-2023-50137 : JFinalcms 5.0.0 is vulnerable to Cross-Site Scripting (XSS) in the site management office. The issue is documented across multiple feeds (NVD, Red Hat, Veracode, OSV, GHSA) with a base CVSS v3.1 score of 5.4 (Medium). The root cause is an XSS flaw in the site management office wh...
CVE-2023-50101
JFinalcms 5.0.0 is affected by a Cross-Site Scripting (XSS) vulnerability in the Label management editing feature. The issue is described across multiple sources (including Red Hat and Veracode feeds) as stemming from insufficient input validation in the library’s label management flow, enabling ...
CVE-2023-50100
CVE-2023-50100 affects JFinalcms 5.0.0. The vulnerability is a Cross-Site Scripting (XSS) flaw exposed via the carousel image editing feature, caused by insufficient filtering/escaping of user-supplied data. Impact: an attacker can inject and execute arbitrary scripts in the victim’s browser. Exp...
CVE-2023-49447
Affected software and issue: JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/nav/update component, due to insufficient validation of whether a request originates from a trusted user. Impact (as described): The vulnerability can enable an attacker to forge...
CVE-2023-50136
CVE-2023-50136 affects JFinalcms 5.0.0. The vulnerability is a Cross-Site Scripting (XSS) in the name field used when creating a new custom table, stemming from insufficient input filtering/escaping. Reported across multiple feeds (NVD/Red Hat/CNVD/CNNVD/etc.). Potential impact is execution of ar...
CVE-2023-50449
Summary (CVE-2023-50449): JFinalCMS 5.0.0 is vulnerable to a remote directory traversal via the /common/down/file fileKey parameter, allowing reading of arbitrary files. Root cause: improper handling of the ../ path segment in the fileKey parameter. Documented by multiple sources (Red Hat, GHSA, ...
CVE-2023-49379
CVE-2023-49379 affects JFinalCMS v5.0.0. A CSRF in the /admin/friend_link/save component is described, with CVSS v3.1 base score 8.8 (HIGH) and user interaction required. The connected documents reiterate the same vulnerability; exploitation status and concrete remediation are not provided in the...
CVE-2024-22494
CVE-2024-22494 is a stored XSS in JFinalcms 5.0.0 exploited via the /gusetbook/save mobile parameter. The vulnerability allows remote attackers to inject arbitrary web script or HTML into victims’ browsers due to improper input handling of the mobile field. Public details in the provided document...
CVE-2023-49373
CVE-2023-49373 : JFinalCMS v5.0.0 is affected by a Cross-Site Request Forgery (CSRF) at the /admin/slide/delete endpoint. The vulnerability arises at that API point, enabling unauthorized actions if a user with an active session is induced to perform a request. The CVSS3.1 metrics describe a High...
CVE-2023-49395
JFinalCMS v5.0.0 has a Cross-Site Request Forgery (CSRF) vulnerability in /admin/category/update. Root cause: CSRF in that endpoint. Impact: high (confidentiality, integrity, availability) per CVSS 3.1 (8.8). Exploitation details are not provided in the connected docs. Remediation: in the PT-2023...
CVE-2023-49448
JFinalCMS v5.0.0 is affected by a Cross-Site Request Forgery (CSRF) vulnerability in the admin/nav/delete endpoint. The CVE-2023-49448 entry identifies a CSRF issue with high impact to confidentiality, integrity, and availability (CVSS v3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). No exploitation d...
CVE-2023-50102
JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) due to insufficient input sanitization, enabling injection of malicious JavaScript into a user’s browser. Affected component is the web content handling in JFinalcms; the root cause is input sanitization gaps. The reports do not provide ...
CVE-2023-49375
CVE-2023-49375 affects JFinalCMS v5.0.0 with a Cross-Site Request Forgery (CSRF) vulnerability via the /admin/friend_link/update endpoint. The NVD entry reports CVSS v3.1 base score 8.8 (HIGH) with network attack vector, no user privileges, and required user interaction. Multiple connected adviso...
CVE-2023-49396
CVE-2023-49396 affects JFinalCMS v5.0.0 with a Cross-Site Request Forgery (CSRF) vulnerability exposed via the /admin/category/save endpoint. The issue originates from CSRF in how this endpoint handles requests, enabling potential unauthorized actions if a user is tricked into submitting a reques...
CVE-2023-49446
Summary: CVE-2023-49446 affects JFinalCMS v5.0.0 with a Cross-Site Request Forgery (CSRF) issue exposed via the /admin/nav/save endpoint. The public dossier consistently identifies the vulnerability and its target, but does not provide a confirmed patch version or vendor remediation details. Root...
CVE-2023-49377
JFinalCMS v5.0.0 is affected by a Cross-Site Request Forgery (CSRF) vulnerability exploitable via /admin/tag/update. The CVE entry indicates a high-impact issue with CVSS 3.1: Network attack vector, no privileges required, user interaction required, and high impacts on confidentiality, integrity,...
CVE-2023-49378
CVE-2023-49378 affects JFinalCMS v5.0.0 with a Cross-Site Request Forgery (CSRF) vulnerability exposed via the /admin/form/save endpoint. Root cause: CSRF in that API path. Impact is high across confidentiality, integrity, and availability (per NVD metrics: CVSS 3.1 base score 8.8, HIGH). Connect...
CVE-2023-49486
JFinalCMS v5.0.0 is affected by a cross-site scripting (XSS) vulnerability in the model management department. The root cause is lack of effective filtering and escaping of user-supplied data. The vulnerability could allow attackers to execute arbitrary web scripts or HTML by injecting a crafted ...
CVE-2023-49487
CVE-2023-49487 concerns a cross-site scripting (XSS) vulnerability in JFinalCMS v5.0.0, located in the navigation management department. The root cause is insufficient filtering/escaping of user-supplied data, enabling arbitrary Web script or HTML execution. The CVSSv3.1 base score is 5.4 (Medium...
CVE-2024-22492
CVE-2024-22492 describes a stored XSS vulnerability in JFinalCMS 5.0.0. The issue is exploitable via the /gusetbook/save contact parameter, allowing remote attackers to inject arbitrary web script or HTML. The CVE entry notes a network-based vector with low attack complexity and requires user int...
CVE-2023-49397
JFinalCMS v5.0.0 contains a CSRF vulnerability exploitable via the /admin/category/updateStatus endpoint. Root cause: Cross-Site Request Forgery on a sensitive admin action. Impact is described as high (CVSS v3.1: 8.8; Confidentiality, Integrity, Availability all High). Exploitation details are n...