PT-2023-25055 · Casdoor · Casdoor

Omriman067

Published

2023-06-22

Updated

2023-06-28

CVE-2023-34927

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Casdoor versions 1.331.0 and below

Description The issue is related to a Cross-Site Request Forgery (CSRF) in the "/api/set-password" endpoint. This allows attackers to change a victim user's password by supplying a crafted URL.

Recommendations For Casdoor versions 1.331.0 and below, as a temporary workaround, consider restricting access to the "/api/set-password" endpoint until a patch is available. Avoid using this endpoint in scenarios where CSRF attacks are possible. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2023-34927

GHSA-RWCP-QRWG-56CG

Affected Products

Casdoor

PT-2023-25055 · Casdoor · Casdoor

CVE-2023-34927

Weakness Enumeration

Related Identifiers

Affected Products

References · 10