cbcvebase.

Github.Com Casdoor Casdoor vulnerabilities

12 known vulnerabilities affecting github.com/casdoor_casdoor.

Total CVEs
12
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH4MEDIUM5LOW2

Vulnerabilities

Page 1 of 1
CVE-2025-4210P2MEDIUMExploitedPoC≥ 0, < 1.812.02025-05-02
CVE-2025-4210 [MEDIUM] CWE-285 Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization in github.com/casdoor/casdoor A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be
ghsaosv
CVE-2022-24124P2HIGHPoC≥ 0, < 1.13.12022-02-01
CVE-2022-24124 [HIGH] CWE-89 SQL Injection in Casdoor SQL Injection in Casdoor The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
ghsaosv
CVE-2023-34927P3MEDIUMPoC≥ 0, ≤ 1.331.02023-06-22
CVE-2023-34927 [MEDIUM] CWE-352 Casdoor Cross-Site Request Forgery vulnerability Casdoor Cross-Site Request Forgery vulnerability Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint `/api/set-password`. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
ghsaosv
CVE-2022-38638P3CRITICAL≥ 0, < 1.103.12022-09-10
CVE-2022-38638 [CRITICAL] CWE-22 Casdoor arbitrary file write vulnerability Casdoor arbitrary file write vulnerability Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/upload-resource.
ghsaosv
CVE-2026-5469P3MEDIUM≥ 0, ≤ 1.1000.02026-04-03
CVE-2026-5469 [MEDIUM] CWE-918 Casdoor vulnerable to SSRF via crafted Webhook URL Casdoor vulnerable to SSRF via crafted Webhook URL A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
ghsa
CVE-2025-61524P3HIGH≥ 0, < 2.63.02025-10-08
CVE-2025-61524 [HIGH] CWE-285 Casdoor is vulnerable to Improper Authorization Casdoor is vulnerable to Improper Authorization An issue in the permission verification module and organization/application editing interface in Casdoor before 2.63.0 allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after login.
ghsaosv
CVE-2024-41657P3HIGH≥ 0, ≤ 1.557.02024-08-22
CVE-2024-41657 [HIGH] CWE-942 Casdoor CORS misconfiguration (GHSL-2024-035) Casdoor CORS misconfiguration (GHSL-2024-035) Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain
ghsaosv
CVE-2022-44942P3HIGH≥ 0, < 1.126.12022-12-07
CVE-2022-44942 [HIGH] CWE-22 Casdoor arbitrary file deletion vulnerability via uploadFile function Casdoor arbitrary file deletion vulnerability via uploadFile function Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the `uploadFile` function.
ghsaosv
CVE-2024-41264P3MEDIUM≥ 1.541.0, ≤ 1.636.02024-08-01
CVE-2024-41264 [MEDIUM] CWE-200 casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the `ssh.InsecureIgnoreHostKey()` method.
ghsaosv
CVE-2026-5467P4LOW≥ 0, ≤ 1.1000.02026-04-03
CVE-2026-5467 [LOW] CWE-601 Casdoor vulnerable to Open Redirect Casdoor vulnerable to Open Redirect A vulnerability was identified in Casdoor 2.356.0. Affected by this issue is some unknown functionality of the component OAuth Authorization Request Handler. Such manipulation of the argument redirect_uri leads to open redirect. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respon
ghsa
CVE-2026-5468P4LOW≥ 0, ≤ 1.1000.02026-04-03
CVE-2026-5468 [LOW] CWE-79 Casdoor vulnerable to Stored XSS via Application formCss / formSideHtml Casdoor vulnerable to Stored XSS via Application formCss / formSideHtml A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
ghsa
CVE-2024-41658P4MEDIUM≥ 0, ≤ 1.577.02024-08-22
CVE-2024-41658 [MEDIUM] CWE-79 Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with
ghsaosv
Github.Com Casdoor Casdoor vulnerabilities | cvebase