com.jfinal:jfinal@5.0.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.jfinal:jfinal package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') via the site management office. An attacker can inject malicious scripts that may be executed in the context of the user's browser session by submitting crafted input to the affected component.

How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • M
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') via the Label management editing feature. An attacker can inject and execute arbitrary script code in the context of the user's browser session by submitting a crafted payload through the editing interface.

How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • M
Cross-site Scripting (XSS)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). An attacker can inject malicious scripts that may be executed in the context of the user's browser session by submitting crafted input.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • M
Cross-site Scripting (XSS)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the carousel image editing feature. An attacker can inject malicious scripts that may be executed in the context of the user's browser by submitting crafted input.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') via the /common/down/file fileKey parameter. An attacker can read files on the server by submitting crafted input containing directory traversal sequences such as ../.

How to fix Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • M
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') via the navigation management department. An attacker can inject malicious scripts that may be executed in the context of the user's browser by submitting crafted input to the affected component.

How to fix Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • M
Cross-site Scripting (XSS)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the model management department. An attacker can inject malicious scripts that may be executed in the context of the user's browser session .

How to fix Cross-site Scripting (XSS)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • M
Cross-site Scripting (XSS)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the column management functionality. An attacker can inject and execute arbitrary script code in the context of the user's browser session by submitting crafted input.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/div/delete endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking them into visiting a malicious web page.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/category/save endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking them into visiting a malicious web page.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the component /admin/friend_link/save. An attacker can manipulate the state of the application by tricking a legitimate user into performing actions they did not intend to perform.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/slide/update endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking the user into clicking a malicious link or visiting a crafted webpage.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/friend_link/update endpoint. An attacker can manipulate the state of the application by tricking a legitimate user into submitting a request that the user did not intend.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/tag/update endpoint. An attacker can manipulate the state of the application by tricking a legitimate user into submitting a request that the user did not intend.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/nav/save endpoint. An attacker can manipulate the state of the application by tricking a legitimate user into submitting a request to the server without their consent.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/category/delete endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking the user into submitting a crafted request.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the admin/nav/delete endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking them into visiting a malicious web page.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/category/updateStatus endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking them into visiting a malicious webpage.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via a specially crafted request to the /admin/tag/save endpoint. An attacker can manipulate the state of the application on behalf of the victim by tricking the victim into submitting a request to the vulnerable endpoint.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/slide/delete endpoint. An attacker can perform unauthorized actions on behalf of a legitimate user by tricking the user into clicking a malicious link or visiting a compromised website.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/nav/update endpoint. An attacker can manipulate the state of the application by tricking a legitimate user into submitting a request that the user did not intend.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/form/save endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking them into submitting a crafted request.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/friend_link/delete endpoint. An attacker can perform unauthorized actions on behalf of a legitimate user by tricking the user into clicking a malicious link or visiting a compromised website.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/slide/save endpoint. An attacker can perform unauthorized actions on behalf of an authenticated user by enticing them to click a malicious link or visit a crafted webpage.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/tag/delete endpoint. An attacker can perform unauthorized actions on behalf of a logged-in user by tricking them into clicking a malicious link or visiting a crafted webpage.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Cross-Site Request Forgery (CSRF)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) via the /admin/div/update endpoint. An attacker can manipulate the state of the application by tricking a legitimate user into submitting a request that the user did not intend.

How to fix Cross-Site Request Forgery (CSRF)?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • H
Arbitrary Code Execution

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the template function.

How to fix Arbitrary Code Execution?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • C
Deserialization of Untrusted Data

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. A deserialization vulnerability exists when using redis, which may lead to code execution.

How to fix Deserialization of Untrusted Data?

There is no fixed version for com.jfinal:jfinal.

[0,)
  • M
Cross-site Scripting (XSS)

com.jfinal:jfinal is a JFinal is a simple, light, rapid,independent, extensible Java WEB + ORM framework. The feature of JFinal looks like ruby on rails especially ActiveRecord.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The set method of the Controller class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for com.jfinal:jfinal.

[0,)