jfinal_cms issues

Some SQL injection vulnerabilities exists in JFinal CMS 5.1.0

Administrator login is required. The default account password is admin:admin123 ## admin/videoalbum/list There is a SQLI vul in background mode.The route is as following ![image-20220809173719466](http://qny.so4ms.top/pic/typora/image-20220809173719466.png) vulnerable argument passing is as...

So4ms

Some SQL injection vulnerabilities exists in JFinal CMS 5.1.0

Administrator login is required. The default account password is admin:admin123 ## admin/article/list There is a SQLI vul in background mode.The route is as following ![image-20220809171242344](http://qny.so4ms.top/pic/typora/image-20220809171242344.png) vulnerable argument passing is as...

So4ms

jfinal_ CMS 5.1.0 has a SQL injection

first you can use the URL http://your IP/jfinal_cms/system/menu/list then you can use the shell ''' sqlmap -u http://your IP/jfinal_cms/system/menu/list --thread 8 --batch --smart --random-agent --data "form.orderColumn=*&form.orderAsc=&attr.name=&totalRecords=31&pageNo=1&pageSize=20&length=10" --cookie "your cookie" '''...

AgainstTheLight

There is a SQL injection vulnerability exists in JFinal CMS 5.1.0 again

you can use the route /jfinal_cms/system/role/list then use sqlmap attack the interface like this : ![f097bb66a1e76ef93f3834b319a6b30](https://user-images.githubusercontent.com/56295743/181655295-926a52dc-37c0-4f99-81df-64acd5806af2.jpg)

jwt-123

There is a SQL injection vulnerability exists in JFinal CMS 5.1.0

the route is /jfinal_cms/system/user/list ![c1c9859cc9ea5015f05f68e55fb3695](https://user-images.githubusercontent.com/56295743/181653646-721d4a24-6e65-4ccc-ac85-6bdf49eb4068.jpg) ![f6d64fe8a0e68451dd7a70a0e7d98fb](https://user-images.githubusercontent.com/56295743/181653653-437648a8-c76d-495d-b1ae-2cdf5ca970fb.png) ![6e1b77dfc081f4433ae57e0d788738c](https://user-images.githubusercontent.com/56295743/181653662-e6277d38-1471-419a-b694-72365439f467.png)

jwt-123

CVE-2022-33113 - Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.

6

CVE-2022-33113 - Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module. ---------...

bmohanr-techie

Issue ID: CVE-2022-33113

2

Description: Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module. Fixed in...

bharathmohanraj

arongmh

jfinal_cms
jfinal_cms copied to clipboard

Metadata

Some SQL injection vulnerabilities exists in JFinal CMS 5.1.0

Some SQL injection vulnerabilities exists in JFinal CMS 5.1.0

jfinal_ CMS 5.1.0 has a SQL injection

There is a SQL injection vulnerability exists in JFinal CMS 5.1.0 again

There is a SQL injection vulnerability exists in JFinal CMS 5.1.0

CVE-2022-33113 - Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.

Issue ID: CVE-2022-33113

XSS vulnerability2 in jfinal_cms 5.1.0

XSS vulnerability1 in jfinal_cms 5.1.0

XSS vulnerability stored in the publish blog module of Jfinal_cms V5.1.0

← Metadata

Owner

Metadata

jfinal_cms jfinal_cms copied to clipboard

Metadata

← Metadata

Owner

Metadata

jfinal_cms
jfinal_cms copied to clipboard