Lucene search

[email protected]CVE-2023-34927

HistoryJun 22, 2023 - 1:15 p.m.

CVE-2023-34927

2023-06-2213:15:10

CWE-352

[email protected]

web.nvd.nist.gov

casdoor

csrf

vulnerability

cve-2023-34927

security

endpoint

password

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user’s password via supplying a crafted URL.

Affected configurations

NVD

Node

casbincasdoorRange≤1.331.0

CPENameOperatorVersion
casbin:casdoorcasbin casdoorle1.331.0

CPE	Name	Operator	Version
casbin:casdoor	casbin casdoor	le	1.331.0

References

casdoor.org/

gist.github.com/omriman067/4e90a3a4ffa40984f011d8777a995469

github.com/casdoor/casdoor/issues/1531

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

Related for CVE-2023-34927

osv2 prion1 cvelist1 github1 veracode2 nvd1 exploitdb1