CVE-2022-37203

CRITICAL

Jflyfox Jfinal Cms - SQL Injection

Title source: rule

Description

JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

Exploits (1)

nomisec WRITEUP

by AgainstTheLight · poc

https://github.com/AgainstTheLight/CVE-2022-37203

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql3.md

[Third Party Advisory] https://github.com/AgainstTheLight/CVE-2022-37203/blob/main/README.md

Scores

CVSS v3 9.8

EPSS 0.0111

EPSS Percentile 78.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

jflyfox/jfinal_cms 5.1.0

Published Sep 19, 2022

Tracked Since Feb 18, 2026