CVE-2024-24766

MEDIUM

CasaOS <0.4.7 - Info Disclosure

Title source: llm

Description

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.

References (4)

[Exploit] https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2-2r9c-gc6p

[Vendor Advisory] https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-c967-2652-gfjm

[Patch] https://github.com/IceWhaleTech/CasaOS-UserService/commit/c75063d7ca5800948e9c09c0a6efe9809b5d39f7

View Patch ZIP pw:eip

[Release Notes] https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7

Scores

CVSS v3 6.2

EPSS 0.0047

EPSS Percentile 64.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-204 CWE-203

Status published

Products (2)

icewhale/casaos-userservice 0.4.4-3 - 0.4.7

IceWhaleTech/CasaOS-UserService 0.4.4.3 - 0.4.7Go

Published Mar 06, 2024

Tracked Since Feb 18, 2026