Vulnerability Description
A vulnerability was found in JFinalCMS up to 20240903. It has been classified as problematic. This affects the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Heyewei | Jfinalcms | < 20240903 |
Related Weaknesses (CWE)
References
- https://gitee.com/heyewei/JFinalcms/issues/IAOSJGExploitIssue TrackingVendor Advisory
- https://github.com/xingjiuW/cve/blob/main/wh.mdExploitThird Party Advisory
- https://vuldb.com/?ctiid.277215Permissions RequiredVDB Entry
- https://vuldb.com/?id.277215Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.402346Third Party AdvisoryVDB Entry
FAQ
What is CVE-2024-8706?
CVE-2024-8706 is a vulnerability with a CVSS score of 4.3 (MEDIUM). A vulnerability was found in JFinalCMS up to 20240903. It has been classified as problematic. This affects the function update of the file /admin/template/update of the component com.cms.util.Template...
How severe is CVE-2024-8706?
CVE-2024-8706 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-8706?
Check the references section above for vendor advisories and patch information. Affected products include: Heyewei Jfinalcms.