CVE-2024-22497

A reflected cross-site scripting (XSS) vulnerability exists in JFinalcms version 5.0.0. The /admin/login endpoint fails to sanitize the password parameter, allowing an attacker to inject arbitrary web scripts. The vulnerability is described in detail in a public security advisory [2].

An attacker can exploit this by crafting a URL containing malicious JavaScript in the password parameter and tricking an authenticated or unauthenticated user into visiting it. When the login form is processed (e.g., submitted or the page is rendered), the injected script executes in the user's browser. The proof-of-concept payload "> demonstrates the issue [2].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, or defacement of the admin interface. The impact is limited by the attacker's ability to deliver the malicious link, but no authentication is required to trigger the reflection.

As of the latest disclosure, no official patch has been released for this vulnerability. Administrators are advised to implement input validation and output encoding for the password parameter, or restrict access to the admin interface until a fix is available [1][2].

MITRE has assigned this CVE based on the reported issue [1]. Users should monitor for updates from the vendor.