6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41658

GHSA ID

GHSA-gv2p-4mvg-g32h

EPSS Score

0.11148%

CWE

CWE-79

Published

8/22/2024

Updated

8/22/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41658

CVE-2024-41658: Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036)

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think that the payment page contains sensitive information, they may share it with other or can be social engineered into sending it to others. An attacker can then craft the casdoor link with a special url and send it back to the user, and once payment has gone though an XSS attack occurs.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41658

GHSA ID

GHSA-gv2p-4mvg-g32h

EPSS Score

0.11148%

CWE

CWE-79

Published

8/22/2024

Updated

8/22/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/casdoor/casdoor	go	<= 1.577.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs in QrCodePage.js where the successUrl parameter is directly taken from URLSearchParams and used in a redirect without validation. The setNotifyTask method periodically checks payment status and triggers a redirect using the user-controlled successUrl parameter. An attacker can craft a malicious successUrl with JavaScript code (e.g., javascript:alert(1)), which gets executed when the payment completes. This matches the reflected XSS pattern described in CWE-79 where untrusted input is used in client-side redirects without neutralization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*oor is * UI-*irst I**ntity *n* ****ss M*n***m*nt (I*M) / Sin*l*-Si*n-On (SSO) pl*t*orm. In **s*oor *.***.* *n* **rli*r, ** pur***s* URL t**t is *r**t** to **n*r*t* * W****tP*y QR *o** is vuln*r**l* to r**l**t** XSS. W**n pur***sin* *n it*m t*rou

Reasoning

T** vuln*r**ility o**urs in `Qr*o**P***.js` w**r* t** su***ssUrl p*r*m*t*r is *ir**tly t*k*n *rom URLS**r**P*r*ms *n* us** in * r**ir**t wit*out v*li**tion. T** `s*tNoti*yT*sk` m*t*o* p*rio*i**lly ****ks p*ym*nt st*tus *n* tri***rs * r**ir**t usin* t

6.1

Basic Information

Concerned about an active attack path?

CVE-2024-41658: Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036)

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI