High-Severity SQL Injection Vulnerability Found in Casdoor
A high-severity SQL Injection vulnerability (CVE-2022-24124) has been discovered in Casdoor, an open-source Identity and Access Management/Single-Sign-On platform. Reported on Jan 22, 2022, this issue affects versions prior to 1.13.1 and has a CVSS V3 score of 7.5.
The vulnerability exists in the query API due to insufficient validation of user-supplied inputs. Attackers can exploit this by using XPATH functions like UpdateXML() or ExtractValue() to insert arbitrary SQL queries, leading to a SQL Injection attack. A simple proof of concept is publicly available, making exploitation easier for skilled attackers.
Qualys has developed a PoC exploit that bypasses output restrictions and dumps file contents. Users can detect the vulnerability using Qualys Web Application Scanning with QID 150470, as a new QID (150470) has been released to identify this issue.
Upgrading to Casdoor 1.13.1 or later versions remediates the vulnerability. Until then, users are advised to monitor their systems for signs of exploitation and consider implementing additional security measures.
Read also:
- Belarus Launches First Accredited Cybersecurity Center
- Bridge the IT-Security Divide with Qualys VMDR for ITSM: A New Application to Streamline Your IT and Security Operations
- Italy passes AI legislation addressing privacy concerns, supervision, and kid-safe access
- East Asian countries should be cautious, as scamming operations are moving towards the region - it's high time we stay vigilant. - Phar Kim Beng
