5 matches found
CVE-2024-48932
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerabili...
CVE-2024-49358
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be ...
CVE-2024-49357
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http:///v1/users/image?path=/var/lib/casaos/1/app_order.json and http:///v1/users/image?path=/var/lib/casaos/1/system.json, ex...
CVE-2024-49359
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v2_1/file in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on t...
CVE-2024-48931
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http:///v3/file?token=&files= is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files parameter...