CVE-2024-8694

LOW

JFinalCMS <20240903 - Path Traversal

Title source: llm

Description

A vulnerability, which was classified as problematic, was found in JFinalCMS up to 20240903. This affects the function update of the file /admin/template/update of the component com.cms.controller.admin.TemplateController. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Exploits (1)

gitee 541 stars

by heyewei · javawriteup

https://gitee.com/heyewei/JFinalcms/issues/IAOKSQ

References (5)

[Exploit, Issue Tracking, Vendor Advisory] https://gitee.com/heyewei/JFinalcms/issues/IAOKSQ

[Exploit, Third Party Advisory] https://github.com/wave-to/SomeCms/blob/main/JFinalCMS.md

View Exploit ZIP pw:eip

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.277167

[Third Party Advisory, VDB Entry] https://vuldb.com/?id.277167

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.401858

Scores

CVSS v3 3.8

EPSS 0.0016

EPSS Percentile 36.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-22

Status published

Products (1)

heyewei/jfinalcms < 20240903

Published Sep 11, 2024

Tracked Since Feb 18, 2026