Soumettre #781772: Casdoor v2.356.0 Improper Access Controlsinformation

Titre	Casdoor v2.356.0 Improper Access Controls
Description	Casbin Policy Allows Anonymous Access to Sensitive Endpoints Evidence: The Casbin authorization policy contains overly broad wildcard rules: ``` p, , , POST, /api/upload-resource, , // Anyone can upload files p, , , POST, /api/set-password, , // Anyone can attempt password changes p, , , , /scim, , * // SCIM open to all at policy level p, , , GET, /api/get-user, , // Anyone can query users ``` While some endpoints have secondary auth checks in controllers, the defense-in-depth principle is violated. The `/api/upload-resource` being open to anonymous users at the policy level is especially concerning given the path traversal history. Fix: Tighten Casbin policies to require authentication for sensitive endpoints. Use `p, , , POST, /api/upload-resource, , ` should become `p, authenticated, , POST, /api/upload-resource, , *` at minimum. ---
Utilisateur	Ghufran Khan (UID 95493)
Soumission	17/03/2026 14:26 (il y a 20 jours)
Modérer	03/04/2026 09:26 (17 days later)
Statut	Dupliqué
Entrée VulDB	208210 [Casdoor 1.97.3 /api/upload-resource fullFilePath élévation de privilèges]
Points	0

Do you want to use VulDB in your project?

Use the official API to access entries easily!