{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8706", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-09-11T16:28:21.627Z", "datePublished": "2024-09-11T23:31:06.227Z", "dateUpdated": "2024-09-12T16:40:49.801Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-09-11T23:31:06.227Z"}, "title": "JFinalCMS com.cms.util.TemplateUtils update path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Path Traversal"}]}], "affected": [{"vendor": "n/a", "product": "JFinalCMS", "versions": [{"version": "20240903", "status": "affected"}], "modules": ["com.cms.util.TemplateUtils"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in JFinalCMS up to 20240903. It has been classified as problematic. This affects the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in JFinalCMS bis 20240903 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft die Funktion update der Datei /admin/template/update der Komponente com.cms.util.TemplateUtils. Durch Manipulation des Arguments fileName mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "timeline": [{"time": "2024-09-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-09-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-09-11T18:33:43.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "xinjiuW (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.277215", "name": "VDB-277215 | JFinalCMS com.cms.util.TemplateUtils update path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.277215", "name": "VDB-277215 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.402346", "name": "Submit #402346 | 10Web CMS <=1.0 Path Equivalence: 'fakedir/../realdir/filename'", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/heyewei/JFinalcms/issues/IAOSJG", "tags": ["issue-tracking"]}, {"url": "https://github.com/xingjiuW/cve/blob/main/wh.md", "tags": ["exploit"]}]}, "adp": [{"affected": [{"vendor": "jfinalcms_project", "product": "jfinalcms", "cpes": ["cpe:2.3:a:jfinalcms_project:jfinalcms:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "20240903", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T16:39:53.664987Z", "id": "CVE-2024-8706", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T16:40:49.801Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8706", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-12T16:39:53.664987Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jfinalcms_project:jfinalcms:*:*:*:*:*:*:*:*"], "vendor": "jfinalcms_project", "product": "jfinalcms", "versions": [{"status": "affected", "version": "0", "lessThan": "20240903", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T16:40:34.990Z"}}], "cna": {"title": "JFinalCMS com.cms.util.TemplateUtils update path traversal", "credits": [{"lang": "en", "type": "reporter", "value": "xinjiuW (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "affected": [{"vendor": "n/a", "modules": ["com.cms.util.TemplateUtils"], "product": "JFinalCMS", "versions": [{"status": "affected", "version": "20240903"}]}], "timeline": [{"lang": "en", "time": "2024-09-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2024-09-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-09-11T18:33:43.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.277215", "name": "VDB-277215 | JFinalCMS com.cms.util.TemplateUtils update path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.277215", "name": "VDB-277215 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.402346", "name": "Submit #402346 | 10Web CMS <=1.0 Path Equivalence: 'fakedir/../realdir/filename'", "tags": ["third-party-advisory"]}, {"url": "https://gitee.com/heyewei/JFinalcms/issues/IAOSJG", "tags": ["issue-tracking"]}, {"url": "https://github.com/xingjiuW/cve/blob/main/wh.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in JFinalCMS up to 20240903. It has been classified as problematic. This affects the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in JFinalCMS bis 20240903 ausgemacht. Sie wurde als problematisch eingestuft. Es betrifft die Funktion update der Datei /admin/template/update der Komponente com.cms.util.TemplateUtils. Durch Manipulation des Arguments fileName mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-09-11T23:31:06.227Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8706", "state": "PUBLISHED", "dateUpdated": "2024-09-12T16:40:49.801Z", "dateReserved": "2024-09-11T16:28:21.627Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2024-09-11T23:31:06.227Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:heyewei:jfinalcms:*:*:*:*:*:*:*:*", "matchCriteriaId": "125439AC-0CDC-4C23-8D7C-CA22D3964B71", "versionEndExcluding": "20240903", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in JFinalCMS up to 20240903. It has been classified as problematic. This affects the function update of the file /admin/template/update of the component com.cms.util.TemplateUtils. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en JFinalCMS hasta el 20240903. Se ha clasificado como problem\u00e1tica. Afecta a la funci\u00f3n update del archivo /admin/template/update del componente com.cms.util.TemplateUtils. La manipulaci\u00f3n del argumento fileName provoca un path traversal. Es posible iniciar el ataque de forma remota. El exploit se ha hecho p\u00fablico y puede utilizarse."}], "id": "CVE-2024-8706", "lastModified": "2025-06-05T20:07:09.180", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-09-12T00:15:02.363", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://gitee.com/heyewei/JFinalcms/issues/IAOSJG"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/xingjiuW/cve/blob/main/wh.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.277215"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.277215"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.402346"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{}