Jfinaloaproject Jfinaloa

JFinalOA before 2025.01.01 SQLi via getWorkFlowHis?insid
CVE-2024-57775 8.8 - High - January 16, 2025

JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component getWorkFlowHis?insid.

SQL Injection

SQLi in JFinalOA <2025.01.01 via apply/save#oaContractApply.id
CVE-2024-57770 8.8 - High - January 16, 2025

JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.

SQL Injection

SQL Injection in JFinalOA borrowmoney/listData pre v2025.01.01
CVE-2024-57769 8.8 - High - January 16, 2025

JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component borrowmoney/listData?applyUser.

SQL Injection

JFinalOA <v2025.01.01 XSS in /apply/getEditPage?view Interface
CVE-2024-57776 - January 16, 2025

A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

XSS in JFinalOA getBusinessUploadListPage (before 2025.01.01)
CVE-2024-57774 - January 16, 2025

A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

JFinalOA <v2025.01.01 XSS via openSelectManyUserPage?orgid
CVE-2024-57773 - January 16, 2025

A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

XSS via /bumph/getDraftListPage?type in JFinalOA pre-2025.01.01
CVE-2024-57772 - January 16, 2025

A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

JFinalOA <v2025.01.01 XSS in common/getEditPage?view
CVE-2024-57771 - January 16, 2025

A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

SQL Injection in JFinalOA before v2025.01.01 via validRoleKey?sysRole.key
CVE-2024-57768 - January 16, 2025

JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.

SQLi in Glorylion JFinalOA 1.0.2 SysOrg.java remote exploitation
CVE-2023-0758 9.8 - Critical - February 09, 2023

A vulnerability was found in glorylion JFinalOA 1.0.2 and classified as critical. This issue affects some unknown processing of the file src/main/java/com/pointlion/mvc/common/model/SysOrg.java. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-220469 was assigned to this vulnerability.

SQL Injection

An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController.
CVE-2021-40645 6.5 - Medium - March 30, 2022

An SQL Injection vulnerability exists in glorylion JFinalOA as of 9/7/2021 in the defkey parameter getHaveDoneTaskDataList method of the FlowTaskController.

SQL Injection