Drdark1999

Name of the Vulnerable Software and Affected Versions ZimaOS versions prior to 1.5.3 Description ZimaOS, a fork of CasaOS, has an issue where the `/v1/sys/proxy` API endpoint, exposed through its web interface, can be exploited to make requests to internal localhost services. This allows unauthenticated access to internal-only endpoints and sensitive local services when the system is accessible from the internet via a Cloudflare Tunnel. The vulnerable endpoint is `/v1/sys/proxy`. Recommendations Update to version 1.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions 1.2.4 and earlier **Description** The issue allows unauthenticated users to access sensitive information, such as usernames, through the API endpoint `http://<Server-ip>/v1/users/name` without any authorization. This could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. **Recommendations** For ZimaOS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the API endpoint `http://<Server-ip>/v1/users/name` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions 1.2.4 and earlier **Description** The issue concerns the exposure of sensitive data through API endpoints, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app order.json` and `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json`, without requiring authentication or authorization. This allows attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. **Recommendations** For ZimaOS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions 1.2.4 and earlier **Description** The issue concerns the API endpoint `http://<Server-IP>/v1/users/login`, which returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be exploited for username enumeration, allowing attackers to determine whether a user exists in the system or not. Attackers can leverage this information in further attacks, such as credential stuffing or targeted password brute-forcing. **Recommendations** For ZimaOS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the `http://<Server-IP>/v1/users/login` API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions 1.2.4 and earlier **Description** The issue allows authenticated users to perform a directory traversal attack via the API endpoint `http://<Zima Server IP:PORT>/v2 1/file`, enabling access to sensitive system directories such as `/etc`. This could expose critical configuration files and increase the risk of further attacks. **Recommendations** For ZimaOS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the `http://<Zima Server IP:PORT>/v2 1/file` API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZimaOS versions 1.2.4 and earlier **Description** The issue concerns improper input validation in the ZimaOS API endpoint `http://<Zima Server IP:PORT>/v3/file?token=<token>&files=<file path>`, allowing authenticated users to read sensitive system files by manipulating the `files` parameter. This exposes critical system data, including password hashes in `/etc/shadow`, posing a high risk for privilege escalation or system compromise. The vulnerability stems from the lack of validation or restriction on file paths provided via the `files` parameter, enabling attackers to access sensitive files outside the intended directory. **Recommendations** For ZimaOS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the `http://<Zima Server IP:PORT>/v3/file` API endpoint until a patch is available. Avoid using the `files` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CasaOS versions prior to 0.4.7 **Description** The Casa OS Login page has a username enumeration issue. An attacker can enumerate usernames by observing the application's response. If the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password. **Recommendations** For versions prior to 0.4.7, update to version 0.4.7 or later to resolve the issue. As a temporary workaround, consider implementing a single error message, such as "Username/Password is Incorrect!", with a single return code, to prevent attackers from enumerating usernames based on the application's response.

**Name of the Vulnerable Software and Affected Versions** CasaOS versions 0.4.4.3 through 0.4.6 **Description** The CasaOS web application lacks control over login attempts, allowing attackers to perform password brute force attacks and gain full access to the server with super user-level access. **Recommendations** For versions 0.4.4.3 through 0.4.6, update to version 0.4.7 to resolve the issue. As a temporary workaround, consider restricting access to the login functionality until a patch is applied. Avoid using the web application for critical operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CasaOS-UserService versions 0.4.4.3 through 0.4.6 **Description** The CasaOS Login page has a username enumeration issue, allowing an attacker to enumerate CasaOS usernames using the application response. If the username is incorrect, the application gives the error `User does not exist`. If the password is incorrect, the application gives the error `Invalid password`. This issue can be exploited to enumerate usernames. **Recommendations** For versions 0.4.4.3 through 0.4.6, update to version 0.4.7 to fix the issue. As a temporary workaround, consider implementing a single error message, such as `Username/Password is Incorrect!!!`, with a single success code to prevent username enumeration.