CVE-2023-49379

Vulnerability

Description

JFinalCMS v5.0.0 contains a cross-site request forgery (CSRF) vulnerability in the /admin/friend_link/save component [1][2]. The application does not implement any CSRF token or other anti-forgery mechanisms on this endpoint, making it possible for an attacker to trick an authenticated administrator into performing unintended actions [2].

Exploitation

An attacker can craft a malicious HTML page that automatically submits a form to the vulnerable endpoint when an authenticated administrative user visits the page [2]. The proof-of-concept exploit demonstrates that the form can include arbitrary values for fields such as name, url, and sort, which would create or modify a friend link entry in the CMS [2]. The only prerequisite is that the victim must have an active session on the JFinalCMS application and be logged in as an administrator.

Impact

Successful exploitation allows an attacker to create unauthorized friend links, potentially redirecting users to malicious external sites or polluting the CMS with spam links [2]. This could damage the site's reputation or be used to spread phishing content. The attack does not require any interaction beyond the victim clicking on a link or visiting a compromised page [2].

Mitigation

No official patch or advisory has been published by the vendor for JFinalCMS v5.0.0 regarding this CSRF issue [1][2]. The CVSS score for this vulnerability is not provided in the available references. Users should consider implementing CSRF tokens or same-site cookie attributes as a workaround until a fix is released. The vulnerability has been publicly documented with a working proof-of-concept, increasing the risk of exploitation.