CVE-2023-50136 in JFinalcmsinfo

Summary

by MITRE • 01/10/2024

Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the name field when creating a new custom table.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/04/2025

This cross site scripting vulnerability exists within JFinalcms version 5.0.0 affecting the custom table creation functionality. The flaw manifests when attackers exploit the name field input validation, allowing malicious script execution within the context of the victim's browser. The vulnerability falls under the CWE-79 category of Cross Site Scripting, specifically representing a stored XSS attack vector where malicious payloads are persisted in the application's database and executed when other users view the affected content. The attack occurs during the creation of custom tables, making it particularly dangerous as it can be leveraged by attackers to compromise user sessions or perform unauthorized actions on behalf of legitimate users. The vulnerability enables attackers to inject malicious JavaScript code that executes in the browser of any user who interacts with the compromised custom table data, potentially leading to session hijacking, data exfiltration, or further exploitation of the affected system.

The technical implementation of this vulnerability stems from inadequate input sanitization and output encoding within the custom table creation module. When users provide input through the name field during custom table creation, the application fails to properly validate or escape special characters that could be interpreted as executable script code. This weakness allows attackers to inject payload strings containing javascript code that gets stored in the database and subsequently rendered in the user interface without proper sanitization. The attack vector is particularly concerning because it operates in a privileged context where legitimate users might be creating or managing custom tables, making the attack surface more accessible and potentially more damaging than typical XSS scenarios.

The operational impact of this vulnerability extends beyond simple script execution to encompass potential full system compromise through session hijacking and privilege escalation. Attackers can leverage this vulnerability to steal user authentication cookies, redirect users to malicious sites, or inject additional malicious code that could lead to further exploitation. The stored nature of the XSS payload means that the attack can persist even after the initial injection, continuously affecting users who access the compromised custom tables. This vulnerability particularly affects organizations using JFinalcms for content management or database administration, where custom tables are frequently created and accessed by multiple users, amplifying the potential damage. The vulnerability also aligns with ATT&CK technique T1566.001 for initial access through malicious web content and T1071.001 for application layer protocol usage.

Mitigation strategies for this vulnerability require immediate implementation of robust input validation and output encoding mechanisms throughout the custom table creation process. Organizations should implement strict sanitization of all user inputs, particularly in fields where dynamic content is rendered, utilizing libraries such as OWASP Java HTML Sanitizer or similar validation frameworks. The application should employ proper context-aware output encoding when rendering user-supplied data in web contexts, ensuring that any special characters are properly escaped to prevent interpretation as executable code. Additionally, implementing Content Security Policy headers and using secure coding practices such as parameterized queries and input validation at multiple layers can significantly reduce the risk of exploitation. Regular security updates and patch management procedures should be enforced to address similar vulnerabilities in third-party components, while comprehensive security testing including automated vulnerability scanning and manual penetration testing should be conducted to identify and remediate similar issues across the application stack.

Reservation

12/04/2023

Disclosure

01/10/2024

Moderation

accepted

CPE

ready

EPSS

0.00408

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!