Vulnerability Description
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Icewhale | Casaos-Userservice | >= 0.4.4-3, <= 0.4.7 |
Related Weaknesses (CWE)
References
- https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09Patch
- https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7Release Notes
- https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967Vendor Advisory
- https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09Patch
- https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7Release Notes
- https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967Vendor Advisory
- https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2Exploit
FAQ
What is CVE-2024-24766?
CVE-2024-24766 is a vulnerability with a CVSS score of 6.2 (MEDIUM). CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability i...
How severe is CVE-2024-24766?
CVE-2024-24766 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-24766?
Check the references section above for vendor advisories and patch information. Affected products include: Icewhale Casaos-Userservice.