CVE-2023-49485

Vulnerability

Overview

JFinalCMS v5.0.0 is affected by a stored cross-site scripting (XSS) vulnerability in the column management department. The root cause is insufficient sanitization of user-supplied input when creating or editing columns, allowing an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browser of any administrator viewing the column management page [1][2].

Exploitation

Requirements

An attacker must have authenticated access to the JFinalCMS backend, specifically with privileges to manage columns. The attack does not require any special network position; it is a stored XSS that can be triggered simply by loading the affected administrative interface. The injection occurs through one or more input fields in the column creation or editing form [3].

Impact

Successful exploitation leads to arbitrary JavaScript execution within the context of the victim’s session. A logged-in administrator could have their cookies stolen, session tokens hijacked, or be redirected to malicious sites. Since the injected script runs in the administrative area, an attacker could potentially perform actions as the victim, such as creating new malicious columns or modifying site content [2][3].

Mitigation

Status

As of the publication date (2023-12-08), no official patch has been released by the JFinal project. Users of JFinalCMS v5.0.0 are advised to disable the column management feature until a fix is available, or implement input validation and output encoding on the server side to prevent script injection [1][2].