vendor:
Casdoor
by:
Van Lam Nguyen
5.1
CVSS
MEDIUM
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Casdoor
Affected Version From: 1.331.0
Affected Version To: 1.331.0
Patch Exists: NO
Related CWE: CVE-2023-34927
CPE: a:casdoor_project:casdoor:1.331.0
Platforms Tested: Windows
2024
Casdoor < v1.331.0 - '/api/set-password' CSRF
Casdoor version 1.331.0 and below is vulnerable to a CSRF attack in the '/api/set-password' endpoint. This allows an attacker to change a victim user's password by sending a specially crafted URL.
Mitigation:
To mitigate this vulnerability, it is recommended to implement proper CSRF tokens, validate and authenticate user actions, and enforce strict referer headers.
