760046475

**Name of the Vulnerable Software and Affected Versions** JFinal CMS versions up to 5.2.4 **Description** A vulnerability has been found in the function `engine.getTemplate` of the file `/readTemplate`, where the manipulation of the `template` argument leads to path traversal. The attack can be launched remotely. The real existence of this vulnerability is still doubted, with the vendor explaining it as a feature rather than a bug. **Recommendations** For versions up to 5.2.4, as a temporary workaround, consider restricting access to the `engine.getTemplate` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opensolon versions up to 3.1.0 **Description** A problematic vulnerability was found in the `render mav` function of the `org.noear.solon.core.handle.RenderManager` component. The issue arises from the manipulation of the `template` argument with a specific input, leading to path traversal. The attack can be initiated remotely. **Recommendations** For opensolon versions up to 3.1.0, consider restricting access to the `render mav` function until a patch is available. As a temporary workaround, avoid using the `template` argument with potentially malicious inputs. At the moment, there is no information about a newer version that contains a fix for this vulnerability.