CVE-2023-49395

Vulnerability

Overview

JFinalCMS v5.0.0 is affected by a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/category/update endpoint. The application fails to implement anti-CSRF tokens or other request validation mechanisms, allowing an attacker to craft malicious HTML forms that, when visited by an authenticated administrator, perform unauthorized category modifications without the user's consent [1][2].

Exploitation

Scenario

An attacker can exploit this vulnerability by tricking an authenticated CMS administrator into visiting a malicious web page containing an auto-submitting HTML form. The form includes all necessary parameters (e.g., id, name, parentId) to update a category entry. Since the CMS does not verify the origin of the request, the admin's browser will send a valid session cookie along with the forged POST request, executing the attacker's intended changes [2]. The PoC demonstrates how the form targets http://127.0.0.1:8888/admin/category/update with hidden inputs that mirror legitimate update requests.

Impact

Successful exploitation enables an attacker to modify existing categories, rename them, change associated templates, or alter other configuration fields. This can lead to content defacement, broken site navigation, or further administrative actions if the attacker chains this CSRF with other vulnerabilities. The attack requires no prior authentication on the attacker's part, only that a logged-in admin triggers the malicious request.

Mitigation

At the time of publication, no official patch has been released. Mitigation recommendations include implementing anti-CSRF tokens (e.g., synchronizer tokens), checking the Origin or Referer header, or using SameSite cookies. The vendor has not responded to the report [1][2].