CVE-2022-24124

Name of the Vulnerable Software and Affected Versions Casdoor versions prior to 1.13.1

Description The query API in Casdoor has a SQL injection issue related to the field and value parameters. This is demonstrated by the "api/get-organizations" endpoint. The vulnerability may allow a remote attacker to gain unauthorized access to protected information due to inadequate protection of the SQL query structure.

Recommendations For versions prior to 1.13.1, update to version 1.13.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the query API or disabling the use of the field and value parameters in the affected endpoint until a patch is applied.