Lucene search

Veracode Vulnerability DatabaseVERACODE:48618

HistoryAug 28, 2024 - 5:11 a.m.

CORS Misconfiguration

2024-08-2805:11:14

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

casdoor

software

cors

vulnerability

origin validation

cross-domain requests

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

38.0%

JSON

github.com/casdoor/casdoor is vulnerable to CORS Misconfiguration. The vulnerability is due to improper origin header validation, which only checks for a prefix, allowing any domain with a valid subdomain prefix to make cross-domain requests to Casdoor as the logged-in user.

References

github.com/advisories/GHSA-mchx-7j67-8mcf

github.com/casdoor/casdoor/blob/v1.577.0/routers/cors_filter.go#L45

securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor/

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

38.0%

JSON

Related for VERACODE:48618