Lucene search

Veracode Vulnerability DatabaseVERACODE:41115

HistoryJul 04, 2023 - 10:11 a.m.

Cross-Site Request Forgery (CSRF)

2023-07-0410:11:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site request forgery

endpoint validation

password change

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

github.com/casdoor/casdoor is vulnerable to Cross-Site Request Forgery. The vulnerability exists due to the lack of endpoint validation in /api/set-password, which allows an attacker to change a user’s password using a crafted url.

CPENameOperatorVersion
github.com/casdoor/casdoorlev1.403.1
github.com/casdoor/casdoorlev1.403.1

CPE	Name	Operator	Version
	github.com/casdoor/casdoor	le	v1.403.1
	github.com/casdoor/casdoor	le	v1.403.1

References

github.com/advisories/GHSA-rwcp-qrwg-56cg

github.com/casdoor/casdoor/blob/319031da281bc3c31016d8bebe60c6e6d13e9976/controllers/user.go#L340

github.com/casdoor/casdoor/issues/1531

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.021 Low

EPSS

Percentile

89.2%

JSON

Related for VERACODE:41115