CVE-2023-34927: 
vulnerability analysis and mitigation

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in the endpoint /api/set-password. This vulnerability was disclosed on June 22, 2023, and affects all versions of Casdoor up to and including version 1.331.0. The vulnerability is tracked as CVE-2023-34927 (NVD, Gist Advisory).

The vulnerability exists due to the absence of CSRF protection mechanisms in the /api/set-password endpoint. The application does not implement CSRF tokens for password change requests, nor does it require the current password for verification. This security flaw has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

This vulnerability allows attackers to arbitrarily change a victim user's password by crafting a malicious URL. If successfully exploited, it can lead to account takeover when a logged-in victim accesses the attacker's malicious site (GitHub Issue).

Security researchers recommend implementing CSRF tokens for the password change functionality or requiring the current password for verification before allowing password changes (GitHub Issue).