CVE-2024-24766 CasaOS Username Enumeration

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. I...

CVE-2024-24766

CVE-2024-24766 concerns username enumeration in the CasaOS-UserService login page. Affected software is CasaOS-UserService (the login module) with versions prior to 0.4.7 (specifically 0.4.4.3 through 0.4.7) where the login responses disclosed whether a username exists via distinct error messages...

CVE-2024-24766 CasaOS Username Enumeration

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. I...

CVE-2024-24767 CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. Th...

CVE-2024-24767 CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. Th...

CVE-2024-24767 CasaOS Improper Restriction of Excessive Authentication Attempts vulnerability

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. Th...

CVE-2024-24767

CVE-2024-24767 concerns CasaOS-UserService where versions before 0.4.7 fail to defend against password brute‑force attacks, allowing attacker with network access to achieve superuser‑level access to the server. The issue is due to inadequate protection over login attempts in CasaOS web app. A pat...

CVE-2024-24765 CasaOS-UserService allows unauthorized access to any file

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user...

CVE-2024-24765 CasaOS-UserService allows unauthorized access to any file

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user...

CVE-2024-24765 CasaOS-UserService allows unauthorized access to any file

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user...

CVE-2024-24765

CVE-2024-24765 affects CasaOS-UserService prior to version 0.4.7, where lax path filtering of the avatar image URL allowed path traversal and access to arbitrary files (e.g., user database) on the system, potentially enabling privilege escalation. The issue is fixed in 0.4.7. Affected entries in ...

GHSA-H5GF-CMM8-CG7C CasaOS-UserService allows unauthorized access to any file

Summary http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/1/avatar.png Originally it was to get the url of the user's avatar, but the path filtering was not strict, making it possible to get any file on the system. Details Construct paths to get any file. Such as the CasaOS user database,...

CasaOS-UserService allows unauthorized access to any file

Summary http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/1/avatar.png Originally it was to get the url of the user's avatar, but the path filtering was not strict, making it possible to get any file on the system. Details Construct paths to get any file. Such as the CasaOS user database,...

PT-2024-20544 · Unknown · Casaos-Userservice

Name of the Vulnerable Software and Affected Versions: CasaOS-UserService versions 0.4.4.3 through 0.4.6 Description: The CasaOS Login page has a username enumeration issue, allowing an attacker to enumerate CasaOS usernames using the application response. If the username is incorrect, the...

CasaOS Security Vulnerabilities

CasaOS is a simple, easy to use and elegant open source home cloud system. A security vulnerability exists in CasaOS-UserService versions prior to 0.4.6 that stems from lax filtering of URL paths, which allows an attacker to obtain any file on the system...

CasaOS Security Vulnerabilities

CasaOS is a simple, easy-to-use, and elegant open source home cloud system. A security vulnerability exists in CasaOS-UserService versions prior to 0.4.4.3 through 0.4.7, which stems from a vulnerability that could allow an attacker to gain superuser-level access via brute-force cracking...

CasaOS Security Vulnerabilities

CasaOS is a simple, easy-to-use, and elegant open source home cloud system. A security vulnerability exists in CasaOS-UserService versions prior to 0.4.4.3 through 0.4.7, which stems from a household name enumeration vulnerability in the Login page...

Design/Logic Flaw

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...

CVE-2023-46739 Timing attack can leak user passwords

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...

CVE-2023-46739 Timing attack can leak user passwords

CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS...