Lucene search

Veracode Vulnerability DatabaseVERACODE:44705

HistoryDec 18, 2023 - 6:15 a.m.

Cross Site Scripting (XSS)

2023-12-1806:15:30

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross site scripting

jfinal library

validation

user input

labels

authenticated attacker

malicious scripts

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

14.1%

JSON

com.jfinal:jfinal is vulnerable to Cross-site Scripting (XSS). Lack of proper validation for user input within the library’s label management feature, exposes a Cross-Site Scripting (XSS) vulnerability which allows an authenticated attacker to inject malicious scripts into labels, which are then executed when users view them.

CPENameOperatorVersion
jfinalle5.1.5
jfinalle5.1.5

CPE	Name	Operator	Version
	jfinal	le	5.1.5
	jfinal	le	5.1.5

References

github.com/advisories/GHSA-m3p6-43xj-pf9v

github.com/Jarvis-616/cms/blob/master/Label%20management%20editing%20with%20stored%20XSS.md