CVE-2023-50100

Vulnerability

JFinalCMS 5.0.0 is vulnerable to stored cross-site scripting (XSS) in the carousel image editing functionality. The application fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary web script or HTML which is then stored and executed in the context of the user's browser when the image is loaded [1][2].

Exploitation

To exploit this vulnerability, an attacker must have access to the carousel image editing interface. The attacker can inject malicious script payloads into one of the image fields (such as the image URL or description). Because the input is not sanitized before storage, the payload is saved to the server and later rendered unsafely in the admin dashboard, triggering execution for any user who views the affected carousel item [2].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of an authenticated administrator's session. This can lead to session hijacking, data theft, or defacement of the admin panel. The stored nature of the XSS increases the impact, as the payload persists across visits and can affect multiple users [1][2].

Mitigation

As of the advisory date, no official patch has been released for JFinalCMS 5.0.0. Users should manually validate and sanitize all image-related input fields in the carousel editing module. A proper content security policy (CSP) can also help mitigate the risk. The vendor has been made aware through the disclosure on GitHub [2].