link

3 exploits Active since Mar 2022
CVE-2022-24193 WRITEUP CRITICAL WRITEUP
CasaOS <0.2.7 - Command Injection
CasaOS before v0.2.7 was discovered to contain a command injection vulnerability.
CVSS 9.8
CVE-2023-37266 WRITEUP CRITICAL WRITEUP
Icewhale Casaos < 0.4.4 - Authentication Bypass
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
CVSS 9.8
CVE-2024-24765 WRITEUP HIGH WRITEUP
CasaOS-UserService <0.4.7 - Path Traversal
CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.
CVSS 7.5