Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJjMjUteGZwcS04dzly
Cross-site scripting in jfinal
An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases.
Permalink: https://github.com/advisories/GHSA-2c25-xfpq-8w9rJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJjMjUteGZwcS04dzly
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-2c25-xfpq-8w9r, CVE-2021-33348
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-33348
- https://github.com/jfinal/jfinal/issues/188
- https://github.com/advisories/GHSA-2c25-xfpq-8w9r
Blast Radius: 17.9
Affected Packages
maven:com.jfinal:jfinal
Dependent packages: 151Dependent repositories: 855
Downloads:
Affected Version Ranges: <= 4.9.10
Fixed in: 4.9.11
All affected versions: 1.4.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.9.7, 4.9.8, 4.9.9, 4.9.10
All unaffected versions: 4.9.11, 4.9.12, 4.9.13, 4.9.14, 4.9.15, 4.9.16, 4.9.17, 4.9.18, 4.9.19, 4.9.20, 4.9.21, 4.9.22, 4.9.23, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7