NVD Vulnerability Detail
Search Exploit, PoC
CVE-2024-41658
Summary

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think that the payment page contains sensitive information, they may share it with other or can be social engineered into sending it to others. An attacker can then craft the casdoor link with a special url and send it back to the user, and once payment has gone though an XSS attack occurs.

Publication Date Aug. 21, 2024, 6:15 a.m.
Registration Date Aug. 26, 2024, 4:59 p.m.
Last Update Aug. 29, 2024, 1:08 a.m.
CVSS3.1 : MEDIUM
スコア 6.1
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
攻撃元区分(AV) ネットワーク
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR) 不要
利用者の関与(UI)
影響の想定範囲(S) 変更あり
機密性への影響(C)
完全性への影響(I)
可用性への影響(A) なし
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:casbin:casdoor:*:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List
JVN Vulnerability Information
Casbin の Casdoor におけるクロスサイトスクリプティングの脆弱性
Title Casbin の Casdoor におけるクロスサイトスクリプティングの脆弱性
Summary

Casbin の Casdoor には、クロスサイトスクリプティングの脆弱性が存在します。

Possible impacts 情報を取得される、および情報を改ざんされる可能性があります。
Solution

参考情報を参照して適切な対策を実施してください。
Publication Date Aug. 20, 2024, midnight
Registration Date Aug. 29, 2024, 10:23 a.m.
Last Update Aug. 29, 2024, 10:23 a.m.
Affected System
Casbin
Casdoor 
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
その他
Change Log
No Changed Details Date of change
1 [2024年08月29日]
  掲載		 Aug. 29, 2024, 10:23 a.m.