Login Sign Up

CVE-2023-50449

7.5 HIGH

📋 TL;DR

JFinalCMS 5.0.0 contains a directory traversal vulnerability that allows remote attackers to read arbitrary files on the server. Attackers can exploit this by manipulating the fileKey parameter in the /common/down/file endpoint. This affects all systems running the vulnerable version of JFinalCMS.

💻 Affected Systems

Products:
  • JFinalCMS
Versions: 5.0.0
Operating Systems: All operating systems running JFinalCMS
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration of JFinalCMS 5.0.0.

📦 What is this software?

Jfinalcms by Jfinalcms Project

View all CVEs affecting Jfinalcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like configuration files, password files, or source code, potentially leading to further attacks.

🟠

Likely Case

Unauthorized reading of sensitive files containing credentials, configuration data, or application source code.

🟢

If Mitigated

Limited impact if proper input validation and file access controls are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication via a web endpoint.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but external exposure increases overall risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is simple to exploit using directory traversal sequences (../) in the fileKey parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: https://gitee.com/heyewei/JFinalcms/issues/I7WGC6

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject directory traversal sequences in the fileKey parameter.

Implement server-side validation to block ../ sequences in file paths

Web Application Firewall Rule

all

Configure WAF to block requests containing directory traversal patterns to the vulnerable endpoint.

Add WAF rule: Block requests to /common/down/file with ../ in parameters

🧯 If You Can't Patch

  • Restrict access to the /common/down/file endpoint using network controls or authentication
  • Implement file access controls to limit which directories the application can read

🔍 How to Verify

Check if Vulnerable:

Test by sending a request to /common/down/file with fileKey parameter containing ../ sequences and observing if arbitrary files are returned.

Check Version:

Check JFinalCMS version in application configuration or admin panel

Verify Fix Applied:

Test the same exploit attempt after implementing fixes to confirm directory traversal is blocked.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /common/down/file with ../ sequences in parameters
  • Unusual file access patterns from web requests

Network Indicators:

  • HTTP requests containing directory traversal patterns (../) to the vulnerable endpoint

SIEM Query:

source="web_server" AND url_path="/common/down/file" AND (param="*../*" OR user_agent="*../*")

📊 Metadata

CVE ID: CVE-2023-50449
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: December 10, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50449, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)