GitHub_MVULNRICHMENT:CVE-2024-28232CVE-2024-28232 Username Enumeration in CasaOS via bypass of CVE-2024-24766
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go’s package manager.
CNA Affected
[
{
"vendor": "IceWhaleTech",
"product": "CasaOS-UserService",
"versions": [
{
"version": "= 0.4.7",
"status": "affected"
}
]
}
]ADP Affected
[
{
"cpes": [
"cpe:2.3:a:icewhaletech:casaos-userservice:0.4.7:*:*:*:*:*:*:*"
],
"vendor": "icewhaletech",
"product": "casaos-userservice",
"versions": [
{
"status": "affected",
"version": "0.4.7"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial