Lucene search

GitHub Advisory DatabaseGHSA-RWCP-QRWG-56CG

HistoryJun 22, 2023 - 3:30 p.m.

Casdoor Cross-Site Request Forgery vulnerability

2023-06-2215:30:23

CWE-352

GitHub Advisory Database

github.com

casdoor

csrf

vulnerability

set-password

endpoint

version 1.331.0

software

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user’s password via supplying a crafted URL.

Affected configurations

Vulners

Node

casbincasdoorRange≤1.331.0

CPENameOperatorVersion
github.com/casdoor/casdoorle1.331.0

CPE	Name	Operator	Version
	github.com/casdoor/casdoor	le	1.331.0

References

casdoor.org/

gist.github.com/omriman067/4e90a3a4ffa40984f011d8777a995469

github.com/advisories/GHSA-rwcp-qrwg-56cg

github.com/casdoor/casdoor/issues/1531

nvd.nist.gov/vuln/detail/CVE-2023-34927

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

Related for GHSA-RWCP-QRWG-56CG