CVE-2024-8706

Name of the Vulnerable Software and Affected Versions: JFinalCMS up to 20240903

Description: A vulnerability was found in the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Recommendations: For JFinalCMS up to 20240903, as a temporary workaround, consider restricting access to the com.cms.util.TemplateUtils component until a patch is available. Avoid using the fileName argument in the affected API endpoint /admin/template/update until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.