Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GHSL-2024-035: Casdoor CORS misconfiguration
Vulnerability Description
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
过度许可的跨域白名单
Vulnerability Title
Casdoor 安全漏洞
Vulnerability Description
Casdoor是Casdoor开源的一个支持多种身份验证和授权协议的开源平台。 Casdoor 1.577.0 版本及之前版本存在安全漏洞,该漏洞源于 beego 的 CorsFilter 过滤器中存在一个逻辑漏洞,该漏洞允许任何网站以登录用户的身份向 Casdoor 发出跨域请求。
CVSS Information
N/A
Vulnerability Type
N/A