Headline
CVE-2022-38281: Some SQL injection vulnerabilities exists in JFinal CMS 5.1.0 · Issue #51 · jflyfox/jfinal_cms
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/site/list.
Administrator login is required. The default account password is admin:admin123
admin/article/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successful injection at route admin/article/list
admin/article/list_approve
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/article/list_approve
admin/comment
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/comment/list
admin/contact/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/contact/list
admin/foldernotice/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/foldernotice/list
admin/folderrollpicture/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/folderrollpicture/list
admin/friendlylink/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/friendlylink/list
admin/imagealbum/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/imagealbum/list
admin/image/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/image/list
admin/site/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/site/list