GHSL-2024-036: Reflected XSS in QrCodePage.js
CVE-2024-41658

6.1MEDIUM

Key Information:

Vendor: Casdoor
Status: Casdoor
Vendor: CVE Published:; 20 August 2024

What is CVE-2024-41658?

The Casdoor platform, known for its user-friendly Identity and Access Management (IAM) and Single-Sign-On (SSO) capabilities, contains a reflected cross-site scripting (XSS) vulnerability within its WechatPay QR code generation feature. In versions 1.577.0 and earlier, the purchase URL can be manipulated via the successUrl query parameter. This vulnerability permits attackers to exploit the payment page, which users might inadvertently share, believing it is secure. An adversary can craft a malicious link, which upon user interaction during a payment transaction, triggers an XSS payload. This flaw introduces significant security concerns as it opens up avenues for data theft and other malicious activities.

Affected Version(s)

casdoor <= 1.577.0

References

https://securitylab.github.com/advisories/GHSL-2024-035_G...

x_refsource_CONFIRM

https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2024