jflyfox/jfinal_cms

GitHub

github.com

mtg.jflyfox.com

Releases40

Frequency3 months 1 week

Last Release 5 days ago

Stars641

jfinal cms是一个java开发的功能强大的信息咨询网站，采用了简洁强大的JFinal作为web框架，模板引擎用的是beetl，数据库用mysql，前端bootstrap框架。支持oauth2认证、帐号注册、密码加密、评论及回复，消息提示，网站访问量统计，文章评论数和浏览量统计，回复管理，支持权限管理。后台模块包含：栏目管理，栏目公告，栏目滚动图片，文章管理，回复管理，意见反馈，我的相册，相册管理，图片管理，专辑管理、视频管理、缓存更新，友情链接，访问统计，联系人管理，模板管理，组织机构管理，用户管理，角色管理，菜单管理，数据字典管理。

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-11473 ↗	Jun 8, 2026Monday, 8 June 2026, 01:16	6.3 MEDIUM	6.5 MEDIUM
A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2024-53477 ↗	Dec 2, 2024Monday, 2 December 2024, 21:15	9.8 CRITICAL	—
JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java
CVE-2023-47503 ↗	Nov 28, 2023Tuesday, 28 November 2023, 02:15	9.8 CRITICAL	—
An issue in jflyfox jfinalCMS v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the login.jsp component in the template management module.
CVE-2023-34645 ↗	Jun 16, 2023Friday, 16 June 2023, 18:15	7.5 HIGH	—
jfinal CMS 5.1.0 has an arbitrary file read vulnerability.
CVE-2023-26812 ↗	Apr 28, 2023Friday, 28 April 2023, 20:15	—	—
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: CVE-2023-26813. Reason: This record is a reservation duplicate of CVE-2023-26813. Notes: All CVE users should reference CVE-2023-26813 instead of this record. All references and descriptions in this record have been removed to prevent accidental usage.
CVE-2023-30349 ↗	Apr 27, 2023Thursday, 27 April 2023, 14:15	9.8 CRITICAL	—
JFinal CMS v5.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the ActionEnter function.
CVE-2023-22975 ↗	Feb 3, 2023Friday, 3 February 2023, 17:15	6.1 MEDIUM	—
A cross-site scripting (XSS) vulnerability in JFinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email parameter under /front/person/profile.html.
CVE-2022-38286 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/role/list.
CVE-2022-38277 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/folderrollpicture/list.
CVE-2022-38285 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/menu/list.
CVE-2022-38284 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/department/list.
CVE-2022-38283 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/video/list.
CVE-2022-38282 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/videoalbum/list.
CVE-2022-38281 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/site/list.
CVE-2022-38280 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/image/list.
CVE-2022-38279 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/imagealbum/list.
CVE-2022-38278 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/friendlylink/list.
CVE-2022-38276 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/foldernotice/list.
CVE-2022-38275 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/contact/list.
CVE-2022-38274 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/comment/list.
CVE-2022-38273 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list_approve.
CVE-2022-38272 ↗	Sep 9, 2022Friday, 9 September 2022, 14:15	7.2 HIGH	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list.
CVE-2022-36527 ↗	Aug 25, 2022Thursday, 25 August 2022, 19:15	5.4 MEDIUM	—
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module.
CVE-2022-37223 ↗	Aug 23, 2022Tuesday, 23 August 2022, 14:15	9.8 CRITICAL	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.
CVE-2022-37199 ↗	Aug 23, 2022Tuesday, 23 August 2022, 13:15	9.8 CRITICAL	—
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/user/list.
CVE-2022-34928 ↗	Aug 3, 2022Wednesday, 3 August 2022, 01:15	8.8 HIGH	—
JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via /system/user.
CVE-2022-33114 ↗	Jun 23, 2022Thursday, 23 June 2022, 17:15	7.2 HIGH	6.5 MEDIUM
Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.
CVE-2022-33113 ↗	Jun 23, 2022Thursday, 23 June 2022, 17:15	5.4 MEDIUM	3.5 LOW
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.
CVE-2022-29648 ↗	Jun 2, 2022Thursday, 2 June 2022, 14:15	5.4 MEDIUM	3.5 LOW
A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.
CVE-2022-30500 ↗	May 26, 2022Thursday, 26 May 2022, 16:15	9.8 CRITICAL	7.5 HIGH
Jfinal cms 5.1.0 is vulnerable to SQL Injection.
CVE-2021-42242 ↗	May 5, 2022Thursday, 5 May 2022, 13:15	9.8 CRITICAL	7.5 HIGH
A command execution vulnerability exists in jfinal_cms 5.0.1 via com.jflyfox.component.controller.Ueditor.
CVE-2022-28505 ↗	May 3, 2022Tuesday, 3 May 2022, 17:15	7.2 HIGH	6.5 MEDIUM
Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.
CVE-2022-27111 ↗	Apr 11, 2022Monday, 11 April 2022, 15:15	5.4 MEDIUM	3.5 LOW
Jfinal_CMS 5.1.0 allows attackers to use the feedback function to send malicious XSS code to the administrator backend and execute it.
CVE-2021-46087 ↗	Jan 25, 2022Tuesday, 25 January 2022, 16:15	5.4 MEDIUM	3.5 LOW
In jfinal_cms >= 5.1 0, there is a storage XSS vulnerability in the background system of CMS. Because developers do not filter the parameters submitted by the user input form, any user with background permission can affect the system security by entering malicious code.
CVE-2021-37262 ↗	Dec 16, 2021Thursday, 16 December 2021, 19:15	7.5 HIGH	5 MEDIUM
JFinal_cms 5.1.0 is vulnerable to regex injection that may lead to Denial of Service.
CVE-2021-40639 ↗	Sep 15, 2021Wednesday, 15 September 2021, 22:15	7.5 HIGH	5 MEDIUM
Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js.