CVE-2024-28232

MEDIUM

CasaOS <0.4.7 - Info Disclosure

Title source: llm

Description

Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go's package manager.

References (2)

[Exploit, Vendor Advisory] https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2-2r9c-gc6p

[Patch] https://github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb

View Patch ZIP pw:eip

Scores

CVSS v3 6.2

EPSS 0.0034

EPSS Percentile 56.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-204

Status published

Products (2)

icewhale/casaos-userservice 0.4.7

IceWhaleTech/CasaOS-UserService 0.4.7 - 0.4.8Go

Published Apr 01, 2024

Tracked Since Feb 18, 2026