CVE-2023-34927

MEDIUM

Casbin Casdoor < 1.331.0 - CSRF

Title source: rule

Description

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

Exploits (3)

exploitdb WORKING POC

by Van Lam Nguyen · textwebappsmultiple

https://www.exploit-db.com/exploits/52439

View Code ZIP pw:eip

exploitdb WORKING POC

by Van Lam Nguyen · textwebappsmultiple

https://www.exploit-db.com/exploits/52432

View Code ZIP pw:eip

exploitdb WORKING POC

by Van Lam Nguyen · textwebappsgo

https://www.exploit-db.com/exploits/51961

View Code ZIP pw:eip

References (3)

[Product] https://casdoor.org/

[Third Party Advisory] https://gist.github.com/omriman067/4e90a3a4ffa40984f011d8777a995469

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/casdoor/casdoor/issues/1531

Scores

CVSS v3 6.5

EPSS 0.0040

EPSS Percentile 60.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

CWE

CWE-352

Status published

Products (2)

casbin/casdoor < 1.331.0

casdoor/casdoor 0Go

Published Jun 22, 2023

Tracked Since Feb 18, 2026