Xiangyu Guo

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.362.1 **Description** The SAML callback handler in `controllers/auth.go` accepts any well-formed SAMLResponse sent to the "/api/acs" endpoint without verifying if it corresponds to a previously issued AuthnRequest. Furthermore, if an administrator disables or deletes an Identity Provider (IdP) after a SAML flow has started, the handler continues to process the response using the provider snapshot from the start of the request. This allows an attacker controlling a registered upstream IdP to send unsolicited SAML responses or replay captured responses in different sessions or after a flow has ended, leading to unauthorized session issuance and persistent access. **Recommendations** Update to a version later than 2.362.0.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.362.1 **Description** An authentication bypass exists that allows attackers to impersonate users, bypass multifactor authentication, and gain persistent unauthorized access. The issue occurs because the `buildSpCertificateStore()` function extracts the X.509 certificate directly from the incoming SAMLResponse instead of utilizing the trusted pre-configured Identity Provider certificate. This allows an attacker to forge assertions signed with a key under their control. Additionally, flaws in account binding and token exchange mechanisms enable further authentication bypass and privilege escalation. **Recommendations** Update to a patched version. Review authentication logs for suspicious activities related to SAML responses or unexpected account access.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.362.1 **Description** A logic flaw exists in the social-login binding flow. The binding-rule code path in 'controllers/auth.go' calls the `HandleLoggedIn()` function directly without invoking `checkMfaEnable()`, allowing users to bypass configured Multi-Factor Authentication (MFA) requirements. Consequently, any user authenticating through this path is logged in without MFA enforcement. **Recommendations** Update to a version later than 2.362.0. As a temporary workaround, restrict access to the social-login binding flow until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.363.0 **Description** An issue exists involving unverified email binding that may enable account takeover. The `getExistUserByBindingRule()` function matches users by email without verifying the `email verified` claim from upstream providers, as the `idp.UserInfo` struct lacks an `EmailVerified` field. An attacker can provide an unverified email claim from an upstream provider to take over accounts associated with the same email address. **Recommendations** Update to a version later than 2.362.0.

In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.362.1 **Description** An issue allows cross-organization token exchange. The `GetTokenExchangeToken()` function in object/token oauth.go validates JWT signatures but fails to verify if the token's user belongs to the same organization as the target application, potentially leading to privilege escalation across organizational boundaries. **Recommendations** Update to a version later than 2.362.0. As a temporary workaround, restrict access to the `GetTokenExchangeToken()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.362.1 **Description** Casdoor maps SAML assertions to user sessions without replay protection. The `ParseSamlResponse()` function in object/saml sp.go calls `sp.RetrieveAssertionInfo()` and immediately maps the result to a user session. The SAML Service Provider (SP) code path lacks an assertion ID cache, OneTimeUse condition enforcement, and replay detection. This allows an attacker to replay a previously captured SAML assertion to obtain an authenticated session for the assertion's subject, including administrator accounts, bypassing the need for passwords or multi-factor authentication (MFA) credentials. **Recommendations** Update to a version later than 2.362.0.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.363.0 **Description** Casdoor fails to enforce SAML assertion time bounds. The `gosaml2` library calculates time-validation results, such as `NotOnOrAfter` and `NotBefore`, and reports them in the `assertionInfo.WarningInfo` field. However, the `ParseSamlResponse()` function does not read this field, causing the time bounds to be discarded before a user session is issued. **Recommendations** Update to a version later than 2.362.0.

**Name of the Vulnerable Software and Affected Versions** Casdoor versions prior to 2.362.1 **Description** Casdoor fails to verify if a JSON Web Token (JWT) used for token exchange remains active. The `GetTokenExchangeToken()` function in object/token oauth.go validates the JWT signature and parses its claims but does not query the Token table to check if the subject token has been revoked or invalidated. This absence of a revocation check prevents administrators from terminating active sessions or revoking compromised tokens. **Recommendations** Update to a version later than 2.362.0.

**Name of the Vulnerable Software and Affected Versions** Mattermost versions 10.5.0 through 10.5.11 Mattermost versions 10.11.0 through 10.11.3 **Description** The software does not properly validate team membership permissions in the Add Channel Member API. This allows users from one team to access user metadata and channel membership information from other teams. The affected API endpoint is used to add members to channels. The issue allows unauthorized access to information from other teams via the API. **Recommendations** Update Mattermost to a version later than 10.5.11. Update Mattermost to a version later than 10.11.3.