Casdoor Incorrect Access Control Vulnerability Allowing Privilege Escalation

A vulnerability in Casdoor's permission verification module and organization/application editing interface, present in versions through 2.62.0, allows remote authenticated administrators to bypass the system's permission checks. This is achieved by directly concatenating URLs after login, enabling unauthorized access to edit settings of other organizations or applications. Exploitation can lead to unauthorized modification of application configurations, causing disruption in user login processes and potential data consistency issues.

Impact

Exploitation of this vulnerability can cause a denial-of-service by disrupting the login process for users, particularly system administrators. Additionally, it allows for unauthorized modification of application settings, which can be exploited to steal user credentials or disrupt access to the Casdoor management backend.

Reproduction

To reproduce this vulnerability, log into a Casdoor instance with a version through 2.62.0 using an administrator account from a non-built-in organization. Once logged in, splice the URL to access the organization management interface of the built-in organization. From there, set a universal password for the built-in organization's admin account, which can then be used to log in and gain elevated privileges. After logging in with the universal password, access the application management interface of another organization by splicing the URL, bypassing the front-end permission checks and editing application configurations.

Remediation

Users can update to Casdoor version 2.63.0 or later, where this vulnerability has been fixed.