CVE-2024-28232

Name of the Vulnerable Software and Affected Versions CasaOS versions prior to 0.4.7

Description The Casa OS Login page has a username enumeration issue. An attacker can enumerate usernames by observing the application's response. If the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.

Recommendations For versions prior to 0.4.7, update to version 0.4.7 or later to resolve the issue. As a temporary workaround, consider implementing a single error message, such as "Username/Password is Incorrect!", with a single return code, to prevent attackers from enumerating usernames based on the application's response.