CVE-2024-41658: 
vulnerability analysis and mitigation

Casdoor, a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform, contains a reflected Cross-Site Scripting (XSS) vulnerability in version 1.577.0 and earlier. The vulnerability exists in the WechatPay QR code payment functionality, specifically in the purchase URL generation process (GitHub Advisory).

The vulnerability stems from improper handling of the 'successUrl' parameter in the QR code payment page. When users make purchases through Casdoor using WechatPay, the system generates a QR code with a payment link hosted on Casdoor's domain. The page accepts a query parameter 'successUrl' and redirects users to that URL after a successful purchase, without proper sanitization (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability could lead to Account Takeover. Since users might share the payment page URL without realizing it contains sensitive information, attackers could craft special URLs and perform XSS attacks when payments are completed (GitHub Advisory).

The vulnerability was reported to Casdoor on March 21, 2024, and the maintainers were contacted multiple times regarding the fix. As of the advisory publication on August 14, 2024, no official fix has been released (GitHub Advisory).