-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.jfinal:jfinal | maven | <= 5.0.0 |
Miggo AIRoot Cause AnalysisThe vulnerability manifests in the friend link deletion endpoint (/admin/friend_link/delete) which accepts POST requests without CSRF protection. In JFinalCMS's MVC architecture, this endpoint would map to a controller method (likely named delete() in FriendLinkController). The provided POC demonstrates successful exploitation via a simple POST request without CSRF tokens, indicating missing security annotations like @Before(CSRFInterceptor.class) that should validate() requests. The confidence is high because 1) the vulnerability pattern matches unprotected controller methods in JFinal framework applications, and 2) the working POC confirms the lack of CSRF checks.
KEV Misses 88% of Exploited CVEs- Get the report