Vulnerability DatabaseCVE-2024-24766
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-24766
March 06, 2024
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error "**User does not exist**". If the password is incorrect application gives the error "**Invalid password**". Version 0.4.7 fixes this issue.
Affected Packages
github.com/IceWhaleTech/CasaOS-UserService (GO):
Affected version(s) >=v0.4.5 <v0.4.7
Fix Suggestion:
Update to version v0.4.7
Related ResourcesĀ (6)
https://github.com/IceWhaleTech/CasaOS-UserService
https://nvd.nist.gov/vuln/detail/CVE-2024-24766
https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2-2r9c-gc6p
https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.2
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Observable Discrepancy
CWE-203
Observable Response Discrepancy
CWE-204
EPSS
Base Score:
0.36