CVE-2024-22496

Vulnerability

Overview

CVE-2024-22496 is a reflected Cross-Site Scripting (XSS) vulnerability in the admin login page of JFinalcms version 5.0.0. The flaw exists in the /admin/login endpoint, specifically within the username parameter. The application fails to properly sanitize or encode user input before reflecting it in the response, allowing an attacker to inject arbitrary HTML and JavaScript [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in the username parameter. For example, injecting "> triggers the script execution when the admin visits the link [2]. The attack requires the user to be logged in or to click the crafted link; no other authentication is needed beyond triggering the reflected XSS in the context of the admin session. The vulnerability is considered low complexity and can be exploited remotely.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session, which can lead to session hijacking, credential theft, or defacement of the admin interface [1]. Because the vulnerability is in the admin login page, an attacker could potentially capture admin cookies or perform actions on behalf of an authenticated administrator.

Mitigation

As of the publication date, no patch or update has been released by the vendor. The project source code is hosted on Gitee, and the reported proof-of-concept demonstrates successful exploitation [2]. Users are advised to restrict network access to the admin panel or implement web application firewall (WAF) rules to block malicious input until a fix is available.