cnvd - cnvd-2024-49645

cnvd-2024-49645

Vulnerability from cnvd

Title: JFinalCMS SQL注入漏洞（CNVD-2024-49645）

Description:

JFinalCMS是一个开源免费的JAVA企业网站开发建设管理系统。

JFinalCMS在1.0版本中存在SQL注入漏洞。该漏洞是由于受影响版本中未能对用户输入的数据进行充分的验证和过滤，攻击者可利用该漏洞导致SQL注入攻击。

Severity: 中

Formal description:

厂商尚未发布漏洞修复程序，请及时关注更新: https://github.com/hadagaga/vuln/blob/master/JFinalCMS/sql-1/SQL_injection_vulnerability.md

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-12351

Impacted products

Name
JFinalCMS JFinalCMS 1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-12351",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-12351"
    }
  },
  "description": "JFinalCMS\u662f\u4e00\u4e2a\u5f00\u6e90\u514d\u8d39\u7684JAVA\u4f01\u4e1a\u7f51\u7ad9\u5f00\u53d1\u5efa\u8bbe\u7ba1\u7406\u7cfb\u7edf\u3002\n\nJFinalCMS\u57281.0\u7248\u672c\u4e2d\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u4e2d\u672a\u80fd\u5bf9\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884c\u5145\u5206\u7684\u9a8c\u8bc1\u548c\u8fc7\u6ee4\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4SQL\u6ce8\u5165\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0:\r\nhttps://github.com/hadagaga/vuln/blob/master/JFinalCMS/sql-1/SQL_injection_vulnerability.md",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49645",
  "openTime": "2024-12-31",
  "products": {
    "product": "JFinalCMS JFinalCMS 1.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-12351",
  "serverity": "\u4e2d",
  "submitTime": "2024-12-13",
  "title": "JFinalCMS SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2024-49645\uff09"
}

CVE-2024-12351 (GCVE-0-2024-12351)

Vulnerability from cvelistv5

Published

2024-12-09 00:31

Modified

2024-12-10 14:09

Severity ?

5.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-89 - SQL Injection
CWE-74 - Injection

Summary

A vulnerability classified as critical has been found in JFinalCMS 1.0. This affects the function findPage of the file src\main\java\com\cms\entity\ContentModel.java of the component File Content Handler. The manipulation of the argument name leads to sql injection. It is possible to initiate the attack remotely.

References

▼	URL	Tags
	https://vuldb.com/?id.287271	vdb-entry, technical-description
	https://vuldb.com/?ctiid.287271	signature, permissions-required
	https://vuldb.com/?submit.456048	third-party-advisory
	https://github.com/hadagaga/vuln/blob/master/JFinalCMS/sql-1/SQL_injection_vulnerability.md	related

Impacted products

	Vendor	Product	Version
	n/a	JFinalCMS	Version: 1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:jfinalcms_project:jfinalcms:1.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "jfinalcms",
            "vendor": "jfinalcms_project",
            "versions": [
              {
                "status": "affected",
                "version": "1.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12351",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-10T14:07:24.966840Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-10T14:09:20.540Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "File Content Handler"
          ],
          "product": "JFinalCMS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "hadagaga (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as critical has been found in JFinalCMS 1.0. This affects the function findPage of the file src\\main\\java\\com\\cms\\entity\\ContentModel.java of the component File Content Handler. The manipulation of the argument name leads to sql injection. It is possible to initiate the attack remotely."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in JFinalCMS 1.0 entdeckt. Sie wurde als kritisch eingestuft. Hiervon betroffen ist die Funktion findPage der Datei src\\main\\java\\com\\cms\\entity\\ContentModel.java der Komponente File Content Handler. Mittels Manipulieren des Arguments name mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-09T00:31:06.456Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-287271 | JFinalCMS File Content ContentModel.java findPage sql injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.287271"
        },
        {
          "name": "VDB-287271 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.287271"
        },
        {
          "name": "Submit #456048 | jwillber JFinalCMS ContentModel.java findPage name 1 SQL Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.456048"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/hadagaga/vuln/blob/master/JFinalCMS/sql-1/SQL_injection_vulnerability.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-12-08T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-12-08T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-12-08T18:04:10.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "JFinalCMS File Content ContentModel.java findPage sql injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-12351",
    "datePublished": "2024-12-09T00:31:06.456Z",
    "dateReserved": "2024-12-08T16:59:02.518Z",
    "dateUpdated": "2024-12-10T14:09:20.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted