Miggo Logo
Miggo Vulnerability Database
CVE-2023-49397

CVE-2023-49397: Cross-Site Request Forgery in JFinalCMS via /admin/category/updateStatus

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-49397
GHSA ID
GHSA-5f56-h6fg-rcrh
EPSS Score
0.50082%
CWE
CWE-352
Published
12/5/2023
Updated
12/12/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.jfinal:jfinalmaven<= 5.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the controller handling /admin/category/updateStatus endpoint. CSRF vulnerabilities typically occur when state-changing endpoints lack anti-CSRF token validation. The POC demonstrates a working exploit without CSRF tokens, indicating missing security validation in the request handler. In MVC frameworks like JFinal, this would correspond to the controller method mapped to this endpoint (likely updateStatus in CategoryController). The high confidence comes from: 1) Explicit vulnerability description tying it to this endpoint 2) Working POC demonstrating the exploit 3) Typical JFinal architecture patterns for request routing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*in*l*MS v*.*.* w*s *is*ov*r** to *ont*in * *ross-Sit* R*qu*st *or**ry (*SR*) vuln*r**ility vi* /**min/**t**ory/up**t*St*tus.

Reasoning

T** vuln*r**ility m*ni**sts in t** *ontroll*r **n*lin* /**min/**t**ory/up**t*St*tus *n*point. *SR* vuln*r**iliti*s typi**lly o**ur w**n st*t*-***n*in* *n*points l**k *nti-*SR* tok*n `v*li**tion`. T** PO* **monstr*t*s * workin* *xploit wit*out *SR* to