CVE-2023-34927

MEDIUM6.5EPSS 0.40%

Casdoor Cross-Site Request Forgery vulnerability

Published: 6/22/2023Modified: 11/8/2023

Description

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint `/api/set-password`. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

Affected packages (1)

Go/github.com/casdoor/casdoorfrom 0, <= 1.331.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-34927
PATCHhttps://github.com/casdoor/casdoor
WEBhttps://casdoor.org
WEBhttps://gist.github.com/omriman067/4e90a3a4ffa40984f011d8777a995469
WEBhttps://github.com/casdoor/casdoor/issues/1531