CVE-2023-49383

CVE-2023-49383 is a Cross-Site Request Forgery (CSRF) vulnerability in JFinalCMS v5.0.0, specifically in the /admin/tag/save endpoint. The root cause is the lack of anti-CSRF tokens or origin validation, enabling attackers to forge requests that modify tag data on behalf of an authenticated administrator [1][2].

Exploitation requires the victim admin to be logged into the application and to click on a malicious link or visit a page hosting a crafted HTML form. A proof-of-concept demonstrates a form that automatically submits a POST request with parameters such as a tag name, thereby creating a new tag without the admin's consent [2]. The attack can be carried out from any origin, as no cross-origin protections are implemented.

Successful exploitation allows an attacker to create or modify tags in the system. This could lead to data integrity issues, and if tag names are used in other parts of the application (e.g., displayed on pages), it could pave the way for stored Cross-Site Scripting (XSS) attacks, though the advisory does not confirm this.

As of December 2023, no official patch has been released for this vulnerability. Users are advised to implement CSRF tokens, validate the Origin header, or employ additional security measures such as re-authentication for sensitive actions until a fix is provided [1][2].