CVE-2023-49381: Cross-Site Request Forgery in JFinalCMS via /admin/div/update
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.50082%
CWE
Published
12/5/2023
Updated
12/12/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.jfinal:jfinal | maven | <= 5.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
- The vulnerability manifests at /admin/div/update endpoint which maps to controller methods in MVC frameworks like JFinal
- CSRF vulnerabilities typically occur in state-changing handlers (POST/PUT) without anti-CSRF tokens
- The POC demonstrates a working exploit without CSRF tokens
- JFinal's architecture would typically require @Before interceptors for security checks which appear to be missing here
- The 'update' action name matches common CRUD operation naming for modification endpoints