CVE-2023-49373

Vulnerability

Overview

A Cross-Site Request Forgery (CSRF) vulnerability exists in JFinalCMS v5.0.0. The /admin/slide/delete endpoint does not implement anti-CSRF tokens or other validation mechanisms, making it possible for an attacker to trick an authenticated administrator into performing unintended deletion actions [1][2].

Exploitation

To exploit this vulnerability, the attacker crafts a malicious HTML page that automatically submits a POST request to the /admin/slide/delete endpoint with a target slide identifier (e.g., ids=84). If a logged-in administrator visits this page in the same browser session, the request is executed with the administrator's credentials, resulting in the deletion of the specified slide [3].

Impact

A successful CSRF attack allows the attacker to delete broadcast images or slides from the admin panel without authorization, potentially causing content disruption or data loss within the CMS [2][3].

Mitigation

As of the publication date, no official patch from the vendor has been mentioned for this specific CSRF issue. The vulnerability was publicly disclosed via a GitHub advisory with a proof-of-concept [3]. Administrators should consider implementing anti-CSRF tokens or same-site cookie policies as a workaround.