CVE-2023-49396

Vulnerability

Description JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/category/save endpoint [1]. The application fails to validate or include anti-CSRF tokens in state-changing requests, making it possible for an attacker to trick an authenticated administrator into performing unintended actions [2].

Exploitation

An attacker can craft a malicious HTML page containing a hidden form that automatically submits a POST request to /admin/category/save with arbitrary parameters (e.g., category name, status) [2]. The victim must be logged into JFinalCMS and visit the attacker's page. No special network position is required; the attack can be delivered via email, social media, or other means [1].

Impact

Successful exploitation allows the attacker to create or modify categories in the CMS without the victim's consent. This could lead to further compromise if the attacker leverages the new category to inject malicious content or escalate privileges within the admin panel [1][2].

Mitigation

As of the publication date, no official patch has been released. Administrators should implement CSRF protection mechanisms such as synchronizer tokens, same-site cookies, or referer header validation. Users are advised to restrict access to the admin panel and educate administrators about phishing risks [1].