Headline
CVE-2022-38286: Some SQL injection vulnerabilities exists in JFinal CMS 5.1.0 · Issue #52 · jflyfox/jfinal_cms
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /system/role/list.
Administrator login is required. The default account password is admin:admin123
admin/videoalbum/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/videoalbum/list
admin/video/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route admin/video/list
system/department/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route system/department/list
system/menu/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route system/menu/list
system/role/list
There is a SQLI vul in background mode.The route is as following
vulnerable argument passing is as following
Successfully injected at route system/role/list