Miggo Logo
Miggo Vulnerability Database
CVE-2023-49381

CVE-2023-49381: Cross-Site Request Forgery in JFinalCMS via /admin/div/update

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-49381
GHSA ID
GHSA-r222-mcff-27ff
EPSS Score
0.50082%
CWE
CWE-352
Published
12/5/2023
Updated
12/12/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.jfinal:jfinalmaven<= 5.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability manifests at /admin/div/update endpoint which maps to controller methods in MVC frameworks like JFinal
  2. CSRF vulnerabilities typically occur in state-changing handlers (POST/PUT) without anti-CSRF tokens
  3. The POC demonstrates a working exploit without CSRF tokens
  4. JFinal's architecture would typically require @Before interceptors for security checks which appear to be missing here
  5. The 'update' action name matches common CRUD operation naming for modification endpoints

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*in*l*MS v*.*.* w*s *is*ov*r** to *ont*in * *ross-Sit* R*qu*st *or**ry (*SR*) vuln*r**ility vi* /**min/*iv/up**t*.

Reasoning

*. T** vuln*r**ility m*ni**sts *t /**min/*iv/up**t* *n*point w*i** m*ps to *ontroll*r m*t*o*s in MV* *r*m*works lik* J*in*l *. *SR* vuln*r**iliti*s typi**lly o**ur in st*t*-***n*in* **n*l*rs (POST/PUT) wit*out *nti-*SR* tok*ns *. T** PO* **monstr*t*s