The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
{ "nvd_published_at": "2022-01-29T23:15:00Z", "github_reviewed_at": "2022-01-31T22:12:48Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-89" ] }