Lucene search

GitHub Advisory DatabaseGHSA-R2WJ-MXVH-WQFH

HistoryDec 05, 2023 - 3:30 p.m.

Cross-Site Request Forgery in JFinalCMS via the component /admin/friend_link/save

2023-12-0515:30:37

CWE-352

GitHub Advisory Database

github.com

cross-site request forgery

jfinalcms

component

admin

friend_link

save

software

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

24.1%

JSON

JFinalCMS v5.0.0 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /admin/friend_link/save.

Affected configurations

Vulners

Node

com.jfinaljfinalRange≤5.0.0

VendorProductVersionCPE
com.jfinaljfinal*cpe:2.3:a:com.jfinal:jfinal:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
com.jfinal	jfinal	*	cpe:2.3:a:com.jfinal:jfinal::::::::

References

github.com/advisories/GHSA-r2wj-mxvh-wqfh

github.com/cui2shark/cms/blob/main/There%20is%20a%20CSRF%20in%20the%20new%20location%20of%20the%20friendship%20link.md

nvd.nist.gov/vuln/detail/CVE-2023-49379

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

24.1%

JSON

Related for GHSA-R2WJ-MXVH-WQFH