Xinjiuw

Name of the Vulnerable Software and Affected Versions: JFinalCMS up to 20240903 Description: A vulnerability was found in the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument `fileName` leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Recommendations: For JFinalCMS up to 20240903, as a temporary workaround, consider restricting access to the `com.cms.util.TemplateUtils` component until a patch is available. Avoid using the `fileName` argument in the affected API endpoint `/admin/template/update` until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.