CVE-2024-41657
Last modified
CVE-2024-41657 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. EPSS estimates a 0.75% chance of exploitation in the next 30 days.
Description
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Casbin | Casdoor | All versions |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-41657?
How severe is CVE-2024-41657?
How do I fix CVE-2024-41657?
Are you affected by CVE-2024-41657?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST