Lucene search

GoogleOSV:GHSA-RWCP-QRWG-56CG

HistoryJun 22, 2023 - 3:30 p.m.

Casdoor Cross-Site Request Forgery vulnerability

2023-06-2215:30:23

Google

osv.dev

casdoor

csrf

vulnerability

endpoint

set-password

attackers

password

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user’s password via supplying a crafted URL.

CPENameOperatorVersion
github.com/casdoor/casdoorle1.331.0

CPE	Name	Operator	Version
	github.com/casdoor/casdoor	le	1.331.0

References

casdoor.org

gist.github.com/omriman067/4e90a3a4ffa40984f011d8777a995469

github.com/casdoor/casdoor

github.com/casdoor/casdoor/issues/1531

nvd.nist.gov/vuln/detail/CVE-2023-34927

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

Related for OSV:GHSA-RWCP-QRWG-56CG