Primary

Context

Casdoor Cross-Site Scripting Vulnerability in Version 2.356.0

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Casdoor version 2.356.0. This issue arises in the 'dangerouslySetInnerHTML' function, where the 'formCss', 'formCssMobile', and 'formSideHtml' fields can be manipulated to inject malicious scripts. The vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an organization admin must inject malicious JavaScript into the 'formCss', 'formCssMobile', or 'formSideHtml' fields of the application settings. Once the malicious content is saved, it will be executed for every user who visits the login page. For example, injecting an image tag with an 'onerror' event that fetches cookies and sends them to an external server will result in session cookie theft.

Remediation

No known mitigation is available.

Added: Apr 3, 2026, 2:18 PM

Updated: Apr 3, 2026, 2:18 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.0

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.7

exploitability

6.0

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Casdoor Cross-Site Scripting Vulnerability in Version 2.356.0

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Casdoor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating