PT-2022-12562 · Jfinalcms · Jfinalcms

Al1Exo

Published

2022-01-25

Updated

2022-01-28

CVE-2021-46087

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions jfinal cms versions 5.1.0 and later

Description The issue is related to a storage XSS vulnerability in the background system of the CMS. This occurs because the developers do not filter the parameters submitted by the user input form, allowing any user with background permission to affect the system security by entering malicious code.

Recommendations For jfinal cms versions 5.1.0 and later, consider filtering parameters submitted by the user input form to prevent malicious code entry. As a temporary workaround, restrict background permission to trusted users until a proper fix is implemented.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-46087

Affected Products

Jfinalcms

PT-2022-12562 · Jfinalcms · Jfinalcms

CVE-2021-46087

Weakness Enumeration

Related Identifiers

Affected Products

References · 4