CVE-2024-41657

Name of the Vulnerable Software and Affected Versions Casdoor versions 1.577.0 and earlier

Description A logic issue exists in the beego filter CorsFilter, allowing any website to make cross-domain requests to Casdoor as the logged-in user. This is due to a logic error in checking only for a prefix when authenticating the Origin header, enabling any domain to create a valid subdomain with a valid subdomain prefix. For example, a domain can create a valid subdomain like localhost.example.com, allowing the website to make requests to Casdoor as the current signed-in user.

Recommendations For Casdoor versions 1.577.0 and earlier, as a temporary workaround, consider disabling the CorsFilter function until a patch is available. Restrict access to the beego filter to minimize the risk of exploitation. Avoid using the Origin header in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.