CVE-2024-49359

CVE-2024-49359 affects ZimaOS (fork of CasaOS) prior to or including version 1.2.4. The vulnerability is a directory traversal in the API endpoint /v2_1/file, exploitable by an authenticated user who can manipulate the path parameter to list arbitrary directories (e.g., /etc) on the server. The r...

CVE-2024-49359 ZimaOS vulnerable to Directory Listing via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...

CVE-2024-49359 ZimaOS vulnerable to Directory Listing via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v21/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on...

CVE-2024-49358 ZimaOS vulnerable to Username Enumeration via API Responses

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...

CVE-2024-49358 ZimaOS vulnerable to Username Enumeration via API Responses

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...

CVE-2024-49358

ZimaOS (fork of CasaOS) prior to and including 1.2.4 is affected by CVE-2024-49358 due to an API behavior at /v1/users/login that reveals whether a username exists, enabling username enumeration. This is a network-facing issue with CVSS 5.3 (MEDIUM); no patched versions are publicly available per...

CVE-2024-49358 ZimaOS vulnerable to Username Enumeration via API Responses

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...

CVE-2024-49357 ZimaOS (Installed Applications and System Information) has Unauthorized Sensitive Data Leak

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http:///v1/users/image?path=/var/lib/casaos/1/apporder.json and http:///v1/users/image?path=/var/lib/casaos/1/system.json,...

CVE-2024-49357

CVE-2024-49357 affects ZimaOS (a CasaOS fork) on Zima devices and x86-64 with UEFI. Versions 1.2.4 and earlier expose sensitive data through unauthenticated API endpoints, e.g. /v1/users/image?path=/var/lib/casaos/1/app_order.json and /var/lib/casaos/1/system.json, enabling attackers to view inst...

CVE-2024-49357 ZimaOS (Installed Applications and System Information) has Unauthorized Sensitive Data Leak

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http:///v1/users/image?path=/var/lib/casaos/1/apporder.json and http:///v1/users/image?path=/var/lib/casaos/1/system.json,...

CVE-2024-49357 ZimaOS (Installed Applications and System Information) has Unauthorized Sensitive Data Leak

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http:///v1/users/image?path=/var/lib/casaos/1/apporder.json and http:///v1/users/image?path=/var/lib/casaos/1/system.json,...

CVE-2024-48932

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be...

CVE-2024-48931

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http:///v3/file?token=&files= is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files...

CVE-2024-48932 ZimaOS Unauthenticated API Discloses Usernames

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be...

CVE-2024-48932

ZimaOS (a CasaOS fork) before version 1.5.0 exposes usernames via unauthenticated access to /v1/users/name (http:///v1/users/name). The root cause is an access control flaw that allows information disclosure and potential for username enumeration, enabling subsequent phishing or brute-force attac...

CVE-2024-48932 ZimaOS Unauthenticated API Discloses Usernames

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be...

CVE-2024-48932 ZimaOS Unauthenticated API Discloses Usernames

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be...

CVE-2024-48931 ZimaOS Arbitrary File Read via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http:///v3/file?token=&files= is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files...

CVE-2024-48931 ZimaOS Arbitrary File Read via Parameter Manipulation

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http:///v3/file?token=&files= is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files...

CVE-2024-48931

ZimaOS (fork of CasaOS) versions 1.2.4 and earlier are affected by an arbitrary file read vulnerability in the API endpoint /v3/file?token=&files=, caused by improper input validation on the files parameter. Authenticated users can manipulate the files value to access sensitive files outside the ...