Login Sign Up

CVE-2023-49397

8.8 HIGH
CSRF

📋 TL;DR

JFinalCMS v5.0.0 contains a CSRF vulnerability in the category status update endpoint (/admin/category/updateStatus) that allows attackers to trick authenticated administrators into performing unauthorized actions. This affects all JFinalCMS v5.0.0 installations with the admin interface accessible. Attackers can manipulate category management without the victim's knowledge.

💻 Affected Systems

Products:
  • JFinalCMS
Versions: v5.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin authentication but no CSRF tokens for the vulnerable endpoint.

📦 What is this software?

Jfinalcms by Jfinalcms Project

View all CVEs affecting Jfinalcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could disable or modify critical website categories, potentially disrupting site functionality or enabling further attacks through content manipulation.

🟠

Likely Case

Unauthorized changes to website category structure, potentially affecting navigation, content organization, and user experience.

🟢

If Mitigated

With proper CSRF protections, no unauthorized actions can be performed even if users are tricked into visiting malicious pages.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated admin users into visiting malicious pages. Proof-of-concept available in GitHub references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement CSRF protection manually by adding anti-CSRF tokens to the /admin/category/updateStatus endpoint and validating them server-side.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF token validation to the vulnerable endpoint

Modify JFinalCMS source code to include CSRF token generation and validation for /admin/category/updateStatus endpoint

Restrict Admin Access

all

Limit admin interface access to trusted networks only

Configure firewall rules to restrict access to /admin paths from internal IPs only

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to detect and block CSRF attempts
  • Require re-authentication for sensitive administrative actions

🔍 How to Verify

Check if Vulnerable:

Test if /admin/category/updateStatus endpoint accepts requests without valid CSRF tokens when admin is authenticated

Check Version:

Check JFinalCMS version in admin panel or configuration files

Verify Fix Applied:

Verify that /admin/category/updateStatus endpoint now requires and validates CSRF tokens

📡 Detection & Monitoring

Log Indicators:

  • Multiple unauthorized category status changes from same user session
  • Category update requests without referrer headers or CSRF tokens

Network Indicators:

  • HTTP POST requests to /admin/category/updateStatus without expected CSRF parameters
  • Requests with mismatched origin/referrer headers

SIEM Query:

source="web_server" AND uri="/admin/category/updateStatus" AND (NOT csrf_token=*)

📊 Metadata

CVE ID: CVE-2023-49397
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: December 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49397, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)