CVE-2023-22975

A cross-site scripting (XSS) vulnerability in JFinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter under /front/person/profile.html.

CVE-2022-33113

Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.

CVE-2022-37199

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list.

CVE-2022-27111

Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.

CVE-2022-37223

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.

CVE-2022-28505

Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.

CVE-2022-30500

Jfinal cms 5.1.0 is vulnerable to SQL Injection.

CVE-2022-29648

A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.

CVE-2022-36527

Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module.

CVE-2022-33114

Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.

CVE-2022-37202

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedback/list

CVE-2022-37209

JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

CVE-2022-34928

JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user.

CVE-2022-38279

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/imagealbum/list.

CVE-2022-38281

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/site/list.

CVE-2022-37201

JFinal CMS 5.1.0 is vulnerable to SQL Injection.

CVE-2022-37207

JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection

CVE-2021-40639

Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.

CVE-2022-38274

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/comment/list.

CVE-2022-37204

Final CMS 5.1.0 is vulnerable to SQL Injection.

CVE-2022-37208

JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

CVE-2022-38283

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/video/list.

CVE-2022-38285

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/menu/list.

CVE-2022-38278

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/friendlylink/list.

CVE-2021-37262

JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service.

CVE-2022-37203

JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

CVE-2022-38276

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/foldernotice/list.

CVE-2022-38277

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/folderrollpicture/list.

CVE-2022-38284

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/department/list.

CVE-2022-38286

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/role/list.

CVE-2023-30349

JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.

CVE-2022-38275

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/contact/list.

CVE-2022-37205

JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

CVE-2022-38272

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list.

CVE-2022-38280

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/image/list.

CVE-2022-38273

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list_approve.

CVE-2023-34645

jfinal CMS 5.1.0 has an arbitrary file read vulnerability.

CVE-2022-38282

JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/videoalbum/list.

CVE-2023-47503

An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp component in the template management module.