PT-2025-26616 · Ncr · Ncr Terminal Handler

Name of the Vulnerable Software and Affected Versions: NCR Terminal Handler version 1.5.1 Description: The issue allows a remote attacker to execute arbitrary code via a crafted script to the "UserService SOAP API" function. Recommendations: For NCR Terminal Handler version 1.5.1, consider...

CVE-2023-47030

An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via a GET request to a UserService SOAP API endpoint to validate if a user exists...

CVE-2024-50693

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references IDOR via the userService API model...

CVE-2024-50693

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references IDOR via the userService API model...

CVE-2024-50693

SunGrow iSolarCloud ecosystem (Android app and cloud) is affected by insecure direct object references (IDOR) via the userService API model, with the Solar iCloud API and related services (powerStationService, orgService, commonService, devService) exposing unauthorized access to user data and po...

CVE-2024-50693

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references IDOR via the userService API model...

CVE-2024-50693

SunGrow iSolarCloud before the October 31, 2024 remediation is vulnerable to insecure direct object references IDOR via the userService API model...

CVE-2024-24767

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. Th...

Username Enumeration

IceWhaleTech/CasaOS-UserService is vulnerable to username enumeration. The vulnerability is due to improper error handling on the login page, which discloses whether a username exists based on the application's response to authentication attempts...

CVE-2024-28232

The CVE-2024-28232 entry concerns a username enumeration flaw in CasaOS-UserService (CasaOS Login page). The issue arises because the login responses reveal whether a username exists, enabling enumeration. It was patched in CasaOS v0.4.8, though that version had not yet been uploaded to Go's pack...

CVE-2024-28232 Username Enumeration in CasaOS via bypass of CVE-2024-24766

Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that...

GO-2024-2615 Username enumeration in github.com/IceWhaleTech/CasaOS-UserService

CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error...

GO-2024-2616 Path traversal and user privilege escalation in github.com/IceWhaleTech/CasaOS-UserService

The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system...

Improper Authorization

github.com/IceWhaleTech/CasaOS-UserService is vulnerable to Improper Authorization. The vulnerability is due to improper path filtering in the URL of user avatar image files. The regular expression used in the code snippet fails to sufficiently restrict access, allowing unauthorized actors to...

CVE-2024-24766

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. I...

Design/Logic Flaw

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. I...

CVE-2024-24767

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. Th...

CVE-2024-24765

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user...

Default credentials

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. Th...

Design/Logic Flaw

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user...