PT-2024-17561 · Jfinalcms · Jfinalcms

Hadagaga

Published

2024-12-09

Updated

2024-12-11

CVE-2024-12351

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions JFinalCMS version 1.0

Description A critical vulnerability has been found in the function findPage of the file srcmainjavacomcmsentityContentModel.java of the component File Content Handler. The manipulation of the argument name leads to SQL injection. It is possible to initiate the attack remotely.

Recommendations For JFinalCMS version 1.0, as a temporary workaround, consider disabling the findPage function until a patch is available. Restrict access to the File Content Handler component to minimize the risk of exploitation. Avoid using the name argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Special Elements Injection

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-89

Related Identifiers

CVE-2024-12351

Affected Products

Jfinalcms

PT-2024-17561 · Jfinalcms · Jfinalcms

CVE-2024-12351

Weakness Enumeration

Related Identifiers

Affected Products

References · 9