x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-gv2p-4mvg-g32h

[GoVulnBot]

Advisory GHSA-gv2p-4mvg-g32h references a vulnerability in the following Go modules:

Module
github.com/casdoor/casdoor

Description:
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think...

References:

• ADVISORY: GHSA-gv2p-4mvg-g32h
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41658
• WEB: https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js
• WEB: https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor

Cross references:

• github.com/casdoor/casdoor appears in 5 other report(s):
  • data/excluded/GO-2023-1868.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-rwcp-qrwg-56cg #1868) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0303.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: CVE-2022-24124 #303)
  • data/reports/GO-2022-1006.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: CVE-2022-38638, GHSA-9vm3-r8gq-cr6x #1006)
  • data/reports/GO-2022-1153.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-f93f-55c2-8c89 #1153)
  • data/reports/GO-2024-3026.yaml (x/vulndb: potential Go vuln in github.com/casdoor/casdoor: GHSA-67fw-w8f2-88wp #3026)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/casdoor/casdoor
      vulnerable_at: 1.674.0
summary: Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor
cves:
    - CVE-2024-41658
ghsas:
    - GHSA-gv2p-4mvg-g32h
references:
    - advisory: https://github.com/advisories/GHSA-gv2p-4mvg-g32h
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41658
    - web: https://github.com/casdoor/casdoor/blob/v1.577.0/web/src/QrCodePage.js
    - web: https://securitylab.github.com/advisories/GHSL-2024-035_GHSL-2024-036_casdoor
source:
    id: GHSA-gv2p-4mvg-g32h
    created: 2024-08-22T18:01:12.904193843Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/609141 mentions this issue: data/reports: add 21 unreviewed reports