C0Cho

**Name of the Vulnerable Software and Affected Versions** JFinalCMS up to 20221020 **Description** A problematic issue has been found in JFinalCMS, affecting an unknown part of the file /admin/content. The manipulation of the `Title` argument leads to cross-site scripting. It is possible to initiate the attack remotely. **Recommendations** For JFinalCMS up to 20221020, as a temporary workaround, consider restricting access to the /admin/content file until a patch is available. Avoid using the `Title` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** JFinalCMS version 5.0.0 **Description** The issue is related to SQL injection via the "/admin/content/data" API endpoint. This allows for potential data manipulation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For JFinalCMS version 5.0.0, consider restricting access to the "/admin/content/data" API endpoint until a patch is available. Avoid using sensitive data in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.