Version 5.0.1

JFinal

JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Install Instructions

mvn install jfinal
Language Java
Package URL (purl) pkg:maven/com.jfinal:jfinal@5.0.1

Find JFinal vulnerabilities in your supply chain.

Scan for Free

JFinal Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2021-31635 High 9.8 CWE-94 0.00489 0.75824
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2021-31649 High 9.8 CWE-502 0.01009 0.835
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2022-33113 Medium 5.4 CWE-79 0.00054 0.24432
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49372 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49373 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49374 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49375 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49376 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49377 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49378 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49379 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49380 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49381 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49382 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49383 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49395 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49396 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49397 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49398 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49446 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49447 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49448 High 8.8 CWE-352 0.00085 0.37799
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49485 Medium 5.4 CWE-79 0.00048 0.19785
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49486 Medium 5.4 CWE-79 0.00048 0.19785
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-49487 Medium 5.4 CWE-79 0.00048 0.19785
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-50100 Medium 5.4 CWE-79 0.00051 0.22292
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-50101 Medium 5.4 CWE-79 0.00051 0.22292
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-50102 Medium 5.4 CWE-79 0.00051 0.22292
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-50137 Medium 5.4 CWE-79 0.00051 0.22292
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2023-50449 High 7.5 CWE-22 0.00274 0.67658
  • 5.0.0–5.2.1
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2021-33348 Medium 6.1 CWE-79 0.00067 0.31258
  • 4.0–4.9.10
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2024-22492 Medium 5.4 CWE-79 0.0009 0.39655
  • 5.0.0
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2024-22493 Medium 5.4 CWE-79 0.0009 0.39655
  • 5.0.0
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2024-22496 Medium 6.1 CWE-79 0.00046 0.18853
  • 5.0.0
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2024-22497 Medium 6.1 CWE-79 0.00046 0.18853
  • 5.0.0
  • 4.0–4.9.23
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9
CVE-2019-17352 High 7.5 CWE-434 0.00225 0.60286
  • 4.0–4.4
  • 3.0–3.8
  • 2.0–2.2
  • 1.4.0–1.9

JFinal Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-22497 Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL. 4.9.09, 4.9.18, 4.9.20, 4.9.19, 4.9.23, 4.3, 5.0.0, 4.9.02 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-22496 Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter. 4.9.09, 4.9.18, 4.9.20, 4.9.19, 4.9.23, 4.3, 5.0.0, 4.9.02 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-22493 A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save content parameter, which allows remote attackers to inject arbitrary web script or HTML. 4.9.09, 4.9.18, 4.9.20, 4.9.19, 4.9.23, 4.3, 5.0.0, 4.9.02 (Show all) Patch → NO_SAFE_VERSION
CVE-2024-22492 A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML. 4.9.09, 4.9.18, 4.9.20, 4.9.19, 4.9.23, 4.3, 5.0.0, 4.9.02 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-50449 JFinalCMS 5.0.0 could allow a remote attacker to read files via ../ Directory Traversal in the /common/down/file fileKey parameter. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-50137 JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) in the site management office. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-50102 JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS). 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-50101 JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via Label management editing. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-50100 JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via carousel image editing. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49487 JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the navigation management department. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49486 JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the model management department. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49485 JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the column management department. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49448 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via admin/nav/delete. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49447 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/nav/update. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49446 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/nav/save. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49398 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/category/delete. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49397 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/category/updateStatus. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49396 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/category/save. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49395 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/category/update. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49383 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/tag/save. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49382 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/div/delete. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49381 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/div/update. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49380 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/friend_link/delete. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49379 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /admin/friend_link/save. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49378 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/form/save. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49377 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/tag/update. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49376 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/tag/delete. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49375 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/friend_link/update. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49374 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/slide/update. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49373 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via /admin/slide/delete. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2023-49372 JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/slide/save. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2022-33113 Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2021-33348 An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases. 4.9.09, 4.3, 4.9.02, 4.9.05, 3.6, 4.4, 4.9.06, 4.9.08 (Show all) Patch → NO_SAFE_VERSION
CVE-2021-31649 In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2021-31635 Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function. 5.2.1, 5.1.9, 5.2.0, 5.1.8, 5.1.7, 5.1.6, 5.1.5, 5.1.4 (Show all) Patch → NO_SAFE_VERSION
CVE-2019-17352 In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions. 4.3, 3.6, 4.4, 3.0, 2.2, 1.4.0, 1.6, 1.5 (Show all) Patch → NO_SAFE_VERSION

Instantly see if these JFinal vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of JFinal affected by its vulnerabilities

Dependent Packages
junit:junit:4.13.2
org.slf4j:slf4j-api:1.7.36
com.jfinal:jetty-server:2019.3
org.eclipse.jetty:jetty-jsp:9.2.26.v20180806
com.jfinal:cos:2022.2
com.alibaba:druid:1.2.4
com.zaxxer:HikariCP:4.0.3
com.mchange:c3p0:0.9.5.5
com.alibaba:fastjson:1.2.83
net.sf.ehcache:ehcache-core:2.6.11
org.freemarker:freemarker:2.3.20
log4j:log4j:1.2.17
redis.clients:jedis:3.6.3
de.ruedigermoeller:fst:2.57
com.fasterxml.jackson.core:jackson-databind:2.11.0
it.sauronsoftware.cron4j:cron4j:2.2.5
com.google.zxing:javase:3.4.1
cglib:cglib-nodep:3.3.0
org.springframework:spring-webmvc:5.3.18