CVE-2023-49380 – JFinalCMS v5.0.0 contains a CSRF vulnerability ... (How to Fix)

Q: What is the severity of CVE-2023-49380?

CVE-2023-49380 has a CVSS score of 8.8 (HIGH). JFinalCMS v5.0.0 contains a CSRF vulnerability in the friend link deletion endpoint (/admin/friend_link/delete) that allows attackers to trick authenticated administrators into performing unauthorized deletions. This affects all deployments of JFinalCMS v5.0.0 with the vulnerable endpoint accessible. Attackers can exploit this by luring administrators to malicious websites while they're logged into the CMS.

📋 TL;DR

JFinalCMS v5.0.0 contains a CSRF vulnerability in the friend link deletion endpoint (/admin/friend_link/delete) that allows attackers to trick authenticated administrators into performing unauthorized deletions. This affects all deployments of JFinalCMS v5.0.0 with the vulnerable endpoint accessible. Attackers can exploit this by luring administrators to malicious websites while they're logged into the CMS.

💻 Affected Systems

Products:

JFinalCMS

Versions: v5.0.0

Operating Systems: All platforms running JFinalCMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator authentication, but the vulnerability allows bypassing authorization through CSRF.

📦 What is this software?

Jfinalcms by Jfinalcms Project

View all CVEs affecting Jfinalcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all friend links, potentially disrupting website functionality and SEO rankings, or chain with other vulnerabilities for more severe attacks.

🟠

Likely Case

Unauthorized deletion of friend links, causing broken links on the website and potential SEO impact.

🟢

If Mitigated

Minimal impact if CSRF tokens or other protections are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically internet-accessible in web CMS deployments.

🏢 Internal Only: MEDIUM - Even internal deployments are vulnerable if administrators can be tricked into visiting malicious content.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to implement. The vulnerability requires the victim to be authenticated as an administrator.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement CSRF protection manually.

🔧 Temporary Workarounds

Implement CSRF Token Protection

all

Add CSRF token validation to the /admin/friend_link/delete endpoint

Modify the delete endpoint to require and validate a CSRF token in POST requests

Restrict Access with WAF Rules

all

Configure web application firewall to block suspicious deletion requests

Configure WAF to require Referer header validation for /admin/friend_link/delete endpoint

🧯 If You Can't Patch

Implement strict SameSite cookie policies and require re-authentication for sensitive actions
Monitor and alert on unusual friend link deletion patterns in application logs

🔍 How to Verify

Check if Vulnerable:

Test if the /admin/friend_link/delete endpoint accepts requests without CSRF tokens when authenticated

Check Version:

Check JFinalCMS version in admin panel or configuration files

Verify Fix Applied:

Verify that the endpoint now requires and validates CSRF tokens for all state-changing operations

📡 Detection & Monitoring

Log Indicators:

Multiple friend link deletions from same IP/session in short time
Deletion requests missing expected CSRF tokens

Network Indicators:

HTTP POST requests to /admin/friend_link/delete without Referer headers or from unexpected origins

SIEM Query:

source="web_logs" AND uri="/admin/friend_link/delete" AND (NOT csrf_token=*) AND response_code=200

📊 Metadata

CVE ID: CVE-2023-49380

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: December 5, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/cui2shark/cms/blob/main/There%20is%20a%20CSRF%20at%20the%20deletion%20point%20of%20the%20friendship%20link.md Exploit,Vendor Advisory
https://github.com/cui2shark/cms/blob/main/There%20is%20a%20CSRF%20at%20the%20deletion%20point%20of%20the%20friendship%20link.md Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49380, you might also want to check these: