Cross-Site Scripting in JFinal CMS by JFlyFox
CVE-2023-22975

6.1MEDIUM

Key Information:

Vendor

Jflyfox

Status
Jfinal Cms
Vendor
CVE Published:
3 February 2023

What is CVE-2023-22975?

A cross-site scripting vulnerability exists in JFinal CMS v5.1.0 that permits attackers to inject arbitrary web scripts or HTML. This could occur via a maliciously crafted payload inserted into the email parameter on the profile page (/front/person/profile.html). Exploiting this vulnerability allows unauthorized users to execute scripts in the context of a victim's browser session, leading to potential data leakage or session hijacking.

References

https://github.com/jflyfox/jfinal_cms/issues/53

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.