GHSL-2024-036: Reflected XSS in QrCodePage.js

CVE-2024-41658

What is CVE-2024-41658?

The Casdoor platform, known for its user-friendly Identity and Access Management (IAM) and Single-Sign-On (SSO) capabilities, contains a reflected cross-site scripting (XSS) vulnerability within its WechatPay QR code generation feature. In versions 1.577.0 and earlier, the purchase URL can be manipulated via the successUrl query parameter. This vulnerability permits attackers to exploit the payment page, which users might inadvertently share, believing it is secure. An adversary can craft a malicious link, which upon user interaction during a payment transaction, triggers an XSS payload. This flaw introduces significant security concerns as it opens up avenues for data theft and other malicious activities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References