Wiz
Vulnerability DatabaseCVE-2022-29648

CVE-2022-29648
Java vulnerability analysis and mitigation

Overview

A cross-site scripting (XSS) vulnerability was discovered in Jfinal CMS version 5.1.0. The vulnerability (CVE-2022-29648) allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request header (NVD, MITRE). The vulnerability was discovered and reported on April 14, 2022.

Technical details

The vulnerability exists in the guest TOP10 feature of Jfinal CMS where user IP addresses are displayed. The application does not properly sanitize the X-Forwarded-For header value before storing and displaying it, allowing attackers to inject malicious XSS payloads. When an administrator logs into the system, the stored malicious code is executed (GitHub Issue).

Impact

This vulnerability allows attackers to execute arbitrary JavaScript code in the context of an administrator's browser session. This could potentially lead to account compromise, data theft, or unauthorized administrative actions when an administrator views the affected pages (GitHub Issue).

Mitigation and workarounds

Security recommendations include implementing strict input filtering for user-supplied data and controlling page rendering content to prevent XSS attacks. Organizations should also consider upgrading to a patched version if available (GitHub Issue).

Additional resources

SourceThis report was generated using AI

Related Java vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-66516CRITICAL10
  • JavaJava
  • org.apache.tika:tika-parser-pdf-module
NoYesDec 04, 2025
CVE-2025-66566HIGH8.2
  • JavaJava
  • at.yawk.lz4:lz4-java
NoYesDec 05, 2025
CVE-2025-66623HIGH7.4
  • JavaJava
  • io.strimzi:strimzi
NoYesDec 05, 2025
GHSA-93fv-4pm9-xp28MEDIUM6.9
  • JavaJava
  • net.dv8tion:jda
NoYesDec 09, 2025
CVE-2025-11222MEDIUM6.1
  • JavaJava
  • com.linecorp.centraldogma:centraldogma-server-auth-shiro
NoYesDec 04, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo