Wavesky

Name of the Vulnerable Software and Affected Versions: JFinalCMS versions up to 20240903 Description: A problematic issue was found in JFinalCMS, affecting the `update` function of the `/admin/template/update` component, specifically the `com.cms.controller.admin.TemplateController`. The manipulation of the `fileName` argument leads to path traversal. This issue can be exploited remotely. Recommendations: For versions up to 20240903, as a temporary workaround, consider restricting access to the `/admin/template/update` endpoint until a patch is available. Avoid using the `fileName` argument in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.