Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Casdoor
(Casbin)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 7 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-08-20 | CVE-2024-41657 | Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make... | Casdoor | 8.8 | ||
| 2024-08-20 | CVE-2024-41658 | Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl,... | Casdoor | 6.1 | ||
| 2024-08-01 | CVE-2024-41264 | An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey() method. | Casdoor | 7.5 | ||
| 2022-09-09 | CVE-2022-38638 | Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource. | Casdoor | 9.1 | ||
| 2023-06-22 | CVE-2023-34927 | Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL. | Casdoor | 6.5 | ||
| 2022-12-07 | CVE-2022-44942 | Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function. | Casdoor | 8.1 | ||
| 2022-01-29 | CVE-2022-24124 | The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations. | Casdoor | 7.5 |