Skip to main content

CVE-2023-50136: n/a in n/a

Medium
VulnerabilityCVE-2023-50136cvecve-2023-50136
Published: Tue Jan 09 2024 (01/09/2024, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: n/a

Description

Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the name field when creating a new custom table.

AI-Powered Analysis

AILast updated: 07/04/2025, 09:40:12 UTC

Technical Analysis

CVE-2023-50136 is a Cross Site Scripting (XSS) vulnerability identified in JFinalcms version 5.0.0. This vulnerability arises from improper sanitization of user input in the 'name' field when creating a new custom table within the CMS. An attacker with at least limited privileges (PR:L) and requiring user interaction (UI:R) can inject malicious scripts that execute in the context of other users' browsers. The vulnerability has a CVSS v3.1 base score of 5.4 (medium severity), reflecting its network attack vector (AV:N), low attack complexity (AC:L), and partial impact on confidentiality and integrity (C:L/I:L), but no impact on availability (A:N). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component. Exploitation could allow attackers to steal session tokens, perform actions on behalf of other users, or manipulate displayed content, potentially leading to further compromise within the affected environment. No public exploits or patches are currently available, and the affected product details beyond the version are not fully specified.

Potential Impact

For European organizations using JFinalcms 5.0.0, this vulnerability poses a moderate risk. Successful exploitation could lead to unauthorized disclosure of sensitive information (e.g., session cookies), integrity violations through content manipulation, and potential escalation of privileges if combined with other vulnerabilities. Given that exploitation requires authenticated access and user interaction, the threat is somewhat limited to insiders or users with legitimate access who can be socially engineered. However, in sectors such as government, finance, or critical infrastructure where CMS platforms manage sensitive data or public-facing content, the impact could be significant, leading to reputational damage, data leakage, or disruption of services. The lack of available patches increases the window of exposure, emphasizing the need for proactive mitigation.

Mitigation Recommendations

European organizations should implement the following specific measures: 1) Restrict access to the custom table creation functionality to trusted administrators only, minimizing the attack surface. 2) Employ strict input validation and output encoding on the 'name' field and all user-supplied data within the CMS, even if patches are not yet available. 3) Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4) Monitor logs for suspicious activity related to custom table creation or unusual user input patterns. 5) Educate users about phishing and social engineering risks to reduce the chance of malicious user interaction. 6) Consider isolating the CMS environment or deploying web application firewalls (WAFs) with rules targeting XSS payloads. 7) Stay alert for vendor updates or patches and apply them promptly once released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2023-12-04T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f0a31182aa0cae27f6ed8

Added to database: 6/3/2025, 2:44:01 PM

Last enriched: 7/4/2025, 9:40:12 AM

Last updated: 8/12/2025, 7:00:53 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats