CVE-2024-41658

Name of the Vulnerable Software and Affected Versions Casdoor versions 1.577.0 and earlier

Description The issue concerns a reflected XSS vulnerability in the purchase URL created to generate a WechatPay QR code. When a user purchases an item through Casdoor and chooses to pay via Wechat Pay, a QR code with the Wechat Pay link is displayed on the payment page. This page takes a query parameter from the URL successUrl and redirects the user to that URL after a successful purchase. An attacker can craft a special URL and send it to the user, potentially leading to an XSS attack after payment has gone through. The vulnerability can be exploited when users share the payment page or are social engineered into sending it to others, as they may not consider the page to contain sensitive information.

Recommendations For Casdoor versions 1.577.0 and earlier, as a temporary workaround, consider restricting access to the payment page that generates the WechatPay QR code until a patch is available. Avoid using the successUrl parameter in the affected URL to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.