JFinal CMS 5.1.0 ApiForm.java deserialization

Summaryinfo

A vulnerability was found in JFinal CMS 5.1.0. It has been classified as problematic. This issue affects some unknown processing of the file ApiForm.java. The manipulation leads to deserialization. This vulnerability is uniquely identified as CVE-2024-53477. No exploit exists.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in JFinal CMS 5.1.0. This issue affects an unknown code block of the file ApiForm.java. The manipulation with an unknown input leads to a deserialization vulnerability. Using CWE to declare the problem leads to CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java

The advisory is shared at github.com. The identification of this vulnerability is CVE-2024-53477 since 11/20/2024. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 11/25/2025).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2024-51976). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Content Management System

Vendor

• JFinal

Name

• CMS

Version

• 5.1.0

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion