Miggo Logo
Miggo Vulnerability Database
CVE-2023-34927

CVE-2023-34927: Casdoor Cross-Site Request Forgery vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34927
GHSA ID
GHSA-rwcp-qrwg-56cg
EPSS Score
0.56522%
CWE
CWE-352
Published
6/22/2023
Updated
11/12/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/casdoor/casdoorgo<= 1.331.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the /api/set-password endpoint which is handled by the SetPassword function. The GitHub issue (#1531) demonstrates that password changes can be executed via forged POST requests without CSRF tokens or current password verification. In Go web applications, handler functions typically correspond directly to API endpoints. The combination of 1) no CSRF token requirement, 2) no current password check, and 3) state-changing POST operation matches the described vulnerability characteristics. While exact file paths aren't explicitly documented, Casdoor's architecture follows standard Go project structure where account-related handlers reside in controllers/account.go.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*oor v*.***.* *n* **low w*s *is*ov*r** to *ont*in * *ross-Sit* R*qu*st *or**ry (*SR*) in t** *n*point `/*pi/s*t-p*sswor*`. T*is vuln*r**ility *llows *tt**k*rs to *r*itr*rily ***n** t** vi*tim us*r's p*sswor* vi* supplyin* * *r**t** URL.

Reasoning

T** vuln*r**ility *xists in t** /*pi/s*t-p*sswor* *n*point w*i** is **n*l** *y t** `S*tP*sswor*` *un*tion. T** *it*u* issu* (#****) **monstr*t*s t**t p*sswor* ***n**s **n ** *x**ut** vi* *or*** POST r*qu*sts wit*out *SR* tok*ns or *urr*nt p*sswor* v*