Home > Vulnerability Database > CVE-2024-24765

Mend.io Vulnerability Database

CVE-2024-24765

Good to know:

Date: March 6, 2024

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

Language: Go

Severity Score

7.5

Related Resources (5)

Url: https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-24765

Url: https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e

Url: https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Url: https://www.mend.io/vulnerability-database/CVE-2024-24765

Severity Score

7.5

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

Upgrade Version

Upgrade to version v0.4.7

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-24765

Good to know:

Date: March 6, 2024

Language: Go

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?