CVE-2023-49447

JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /admin/nav/update endpoint [1]. The application fails to validate or include anti-CSRF tokens, enabling attackers to craft malicious requests that modify navigation items on behalf of an authenticated administrator [2].

To exploit this, an attacker must trick an authenticated admin into visiting a crafted HTML page containing a hidden form that automatically submits a POST request to /admin/nav/update [2]. The PoC demonstrates modifying navigation properties such as name and URL, without requiring any user interaction beyond opening the malicious page [2].

Successful exploitation allows the attacker to alter navigation links, potentially redirecting users to phishing sites or defacing the CMS [1]. The impact is limited to authenticated sessions, but the lack of CSRF protections means any change made by the admin can be weaponized [1].

As of the disclosure date, no patch or official workaround has been published [1]. Administrators should implement CSRF tokens manually or restrict access to the admin panel [2].