How severe is CVE-2024-41657?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2024-41657?

This is classified as CWE-942, which is a common weakness in software security.

CVE-2024-41657 - HIGH Severity | CVSS 8.8

Vulnerability Description

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.

Related Vulnerabilities

CVE-2021-34435

HIGH

CVSS:8.8(High)

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to t...

CWE-9422021

CVE-2023-46098

HIGH

CVSS:8.8(High)

A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). When accessing the Information Server from affected products, the products use an overly permissive CORS policy. This coul...

CWE-9422023

CVE-2023-46281

HIGH

CVSS:8.8(High)

A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V...

CWE-9422023

CVE-2023-25603

CRITICAL

CVSS:9.1(Critical)

A permissive cross-domain policy with untrusted domains vulnerability in Fortinet FortiADC 7.1.0 - 7.1.1, FortiDDoS-F 6.3.0 - 6.3.4 and 6.4.0 - 6.4.1 allow an unauthorized attacker to carry out privil...

CWE-9422023

CVE-2024-32862

HIGH

CVSS:8.1(High)

Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.

CWE-9422024

CVE-2024-41659

HIGH

CVSS:8.1(High)

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set t...

CWE-9422024