CVE-2024-24766
MEDIUMCasaOS-UserService 0.4.4.3-0.4.6 - Username Enumeration via Login Error Messages
Title source: llmDescription
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm
Patch x_refsource_misc
https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7
Release Notes x_refsource_misc
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7
Scores
CVSS v3
6.2
EPSS
0.0076
EPSS Percentile
50.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-204
CWE-203
Status
published
Products (2)
icewhale/casaos-userservice
0.4.4-3 - 0.4.7
IceWhaleTech/CasaOS-UserService
0.4.4.3 - 0.4.7Go
Published
Mar 06, 2024
Tracked Since
Feb 18, 2026