CVE-2023-49446

Vulnerability

Overview JFinalCMS v5.0.0 is affected by a Cross-Site Request Forgery (CSRF) vulnerability in the navigation management endpoint /admin/nav/save. The issue arises because the application does not enforce any anti-CSRF tokens or origin validation when processing navigation save requests [1].

Exploitation

An attacker can exploit this by crafting a malicious HTML page that, when visited by an authenticated administrator, submits a POST request to /admin/nav/save with arbitrary parameters such as name, parentId, and url. A proof-of-concept (PoC) is available demonstrating a form-based attack targeting the default localhost address [2]. The attack requires no special privileges beyond the victim's existing session.

Impact

Successful exploitation allows the attacker to create new navigation items in the admin panel without the administrator's knowledge. This could be used to inject malicious links, redirect users, or alter the site's structure, potentially leading to further attacks like phishing or session hijacking.

Mitigation

No official patch has been released as of the disclosure date. Administrators are advised to implement CSRF protection mechanisms, such as synchronizer tokens or same-site cookie attributes, and consider restricting access to the admin panel.