CVE-2023-49397

JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/category/updateStatus endpoint. The application does not validate the origin of requests, enabling an attacker to forge malicious requests that modify category statuses without the administrator's consent [1].

An attacker can exploit this by crafting a simple HTML form that submits a POST request to the vulnerable endpoint with parameters such as id and value. When an authenticated administrator visits the attacker-controlled page, the form automatically submits, altering the status of the specified category. The PoC demonstrates sending a request targeting http://127.0.0.1:8888/admin/category/updateStatus with a hidden id and value parameter [2].

Successful exploitation allows an attacker to enable or disable categories arbitrarily, potentially disrupting the content management workflow or causing unauthorized changes to the site structure.

As of the publication date, no official patch or mitigation has been released. Developers should implement CSRF tokens or same-site cookie attributes to protect against such attacks. The vulnerability affects JFinalCMS v5.0.0.