Login Sign Up

CVE-2023-49395

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

JFinalCMS v5.0.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the column management modification endpoint (/admin/category/update). This allows attackers to trick authenticated administrators into performing unauthorized category updates. Organizations using JFinalCMS v5.0.0 with administrative interfaces exposed are affected.

💻 Affected Systems

Products:
  • JFinalCMS
Versions: v5.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires an authenticated administrator session to exploit. The vulnerability is in the admin interface.

📦 What is this software?

Jfinalcms by Jfinalcms Project

View all CVEs affecting Jfinalcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify or delete website categories, potentially disrupting site structure, SEO, and user navigation, or inject malicious content into category metadata.

🟠

Likely Case

Unauthorized modification of website categories leading to content misplacement, broken navigation, or SEO damage.

🟢

If Mitigated

With proper CSRF protections, the vulnerability would be blocked, preventing unauthorized category modifications.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF exploits are typically simple to weaponize. Public proof-of-concept exists in GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement CSRF protections manually.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF token validation to the /admin/category/update endpoint.

Modify the JFinalCMS source code to include CSRF token generation and validation in the category update functionality.

Restrict Admin Access

all

Limit access to the admin interface to trusted IP addresses only.

Configure firewall or web server (e.g., Apache .htaccess, Nginx allow/deny) to restrict /admin paths to specific IPs.

🧯 If You Can't Patch

  • Implement network segmentation to isolate the admin interface from untrusted networks.
  • Use browser extensions or configurations that block cross-site requests, and educate administrators about CSRF risks.

🔍 How to Verify

Check if Vulnerable:

Check if JFinalCMS version is 5.0.0 and if the /admin/category/update endpoint lacks CSRF protection (e.g., missing token validation).

Check Version:

Check the JFinalCMS version in the application's configuration files or admin panel.

Verify Fix Applied:

Test the /admin/category/update endpoint with a CSRF attack simulation; it should reject requests without valid CSRF tokens.

📡 Detection & Monitoring

Log Indicators:

  • Unusual category update requests from unexpected IPs or without referrer headers.
  • Multiple failed update attempts indicating CSRF probing.

Network Indicators:

  • HTTP POST requests to /admin/category/update without CSRF tokens or from suspicious origins.

SIEM Query:

source="web_logs" AND uri="/admin/category/update" AND (NOT csrf_token=*)

📊 Metadata

CVE ID: CVE-2023-49395
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: December 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49395, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)