Miggo Logo
Miggo Vulnerability Database
CVE-2023-49378

CVE-2023-49378: Cross-Site Request Forgery in JFinalCMS via /admin/form/save

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-49378
GHSA ID
GHSA-gw26-cchc-8f2f
EPSS Score
0.50082%
CWE
CWE-352
Published
12/5/2023
Updated
12/12/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.jfinal:jfinalmaven<= 5.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the request handler for /admin/form/save endpoint. While the exact controller class isn't specified in available data, JFinal's architecture routes requests to Controller methods. The absence of CSRF protection (like token validation) in this endpoint's handler allows successful exploitation as demonstrated by the POC. The high confidence comes from: 1) The working POC requiring no CSRF token 2) JFinal's MVC pattern making Controller methods the entry point 3) CSRF vulnerabilities typically occurring at the request handling layer when protections are missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*in*l*MS v*.*.* w*s *is*ov*r** to *ont*in * *ross-Sit* R*qu*st *or**ry (*SR*) vuln*r**ility vi* /**min/*orm/s*v*.

Reasoning

T** vuln*r**ility m*ni**sts in t** r*qu*st **n*l*r *or /**min/*orm/s*v* *n*point. W*il* t** *x**t *ontroll*r *l*ss isn't sp**i*i** in *v*il**l* **t*, J*in*l's *r**it**tur* rout*s r*qu*sts to *ontroll*r m*t*o*s. T** **s*n** o* *SR* prot**tion (lik* to