CVE-2023-50101

JFinalcms 5.0.0 contains a stored cross-site scripting (XSS) vulnerability in the Label management editing feature [2]. The vulnerability allows an attacker to inject malicious scripts through input fields that are not properly sanitized before being stored and later rendered in the application. This class of flaw arises when user-supplied data is accepted without adequate encoding or filtering, enabling script execution in the context of other users' sessions [3].

Exploitation

An attacker with access to the Label management functionality can submit crafted payloads, such as JavaScript code, through the editing interface. No special privileges beyond the ability to edit labels are required, as the stored content will be served to any user who views the affected labels, including administrators. The attack does not require user interaction at the point of injection, but victim users must visit the page displaying the malicious label [3].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the browsers of other users. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Since the XSS is stored, the impact persists for all users who access the compromised label until the injected code is removed [2].

Mitigation

No patch or update has been announced by JFinal as of the publication date; the official repository (jfinal/jfinal) is a framework for which JFinalcms may be a separate project [1]. The vendor advisory and proof-of-concept details have been made public [3]. Users should sanitize all label inputs, implement Content Security Policy headers, and restrict access to label editing until an official fix becomes available [2].