Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-gv2p-4mvg-g32h #3086

Closed
GoVulnBot opened this issue Aug 22, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-gv2p-4mvg-g32h #3086

GoVulnBot opened this issue Aug 22, 2024 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-gv2p-4mvg-g32h references a vulnerability in the following Go modules:

Module
github.com/casdoor/casdoor

Description:
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/casdoor/casdoor
      vulnerable_at: 1.674.0
summary: Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor
cves:
    - CVE-2024-41658
ghsas:
    - GHSA-gv2p-4mvg-g32h
references:
    - advisory: https://github.com/advisories/GHSA-gv2p-4mvg-g32h
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41658
    - web: https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js
    - web: https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor
source:
    id: GHSA-gv2p-4mvg-g32h
    created: 2024-08-22T18:01:12.904193843Z
review_status: UNREVIEWED
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/609141 mentions this issue: data/reports: add 21 unreviewed reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianthehat @gopherbot @GoVulnBot