8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41657

GHSA ID

GHSA-mchx-7j67-8mcf

EPSS Score

0.50665%

CWE

CWE-942

Published

8/22/2024

Updated

8/22/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41657

CVE-2024-41657: Casdoor CORS misconfiguration (GHSL-2024-035)

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41657

GHSA ID

GHSA-mchx-7j67-8mcf

EPSS Score

0.50665%

CWE

CWE-942

Published

8/22/2024

Updated

8/22/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/casdoor/casdoor	go	<= 1.557.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the CorsFilter function's origin validation logic in cors_filter.go. The code checks if the Origin header starts with insecure prefixes like 'http://localhost' using strings.HasPrefix, which fails to validate full domain matches. This allows malicious subdomains to bypass CORS restrictions. The GitHub advisory specifically references line 45 in this file as the vulnerable location, and the described attack scenario directly maps to the observed prefix-based validation pattern in the code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*oor is * UI-*irst I**ntity *n* ****ss M*n***m*nt (I*M) / Sin*l*-Si*n-On (SSO) pl*t*orm. In **s*oor *.***.* *n* **rli*r, * lo*i* vuln*r**ility *xists in t** ****o *ilt*r *ors*ilt*r t**t *llows *ny w**sit* to m*k* *ross *om*in r*qu*sts to **s*oor *

Reasoning

T** vuln*r**ility st*ms *rom t** `*ors*ilt*r` *un*tion's ori*in v*li**tion lo*i* in `*ors_*ilt*r.*o`. T** *o** ****ks i* t** `Ori*in` *****r st*rts wit* ins**ur* pr**ix*s lik* '*ttp://lo**l*ost' usin* `strin*s.**sPr**ix`, w*i** **ils to v*li**t* *ull

8.1

Basic Information

Concerned about an active attack path?

CVE-2024-41657: Casdoor CORS misconfiguration (GHSL-2024-035)

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI