CVE-2024-24766

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions CasaOS-UserService versions 0.4.4.3 through 0.4.6

Description The CasaOS Login page has a username enumeration issue, allowing an attacker to enumerate CasaOS usernames using the application response. If the username is incorrect, the application gives the error User does not exist. If the password is incorrect, the application gives the error Invalid password. This issue can be exploited to enumerate usernames.

Recommendations For versions 0.4.4.3 through 0.4.6, update to version 0.4.7 to fix the issue. As a temporary workaround, consider implementing a single error message, such as Username/Password is Incorrect!!!, with a single success code to prevent username enumeration.

Exploit

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-204CWE-203

Related Identifiers

CVE-2024-24766

GHSA-C967-2652-GFJM

GHSA-HCW2-2R9C-GC6P

GO-2024-2615

Affected Products

Casaos-Userservice

CVE-2024-24766

Weakness Enumeration

Related Identifiers

Affected Products

References · 15