CVE-2024-24766

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-24766
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-24766.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-24766
Aliases
Related
Published
2024-03-06T19:15:07Z
Modified
2025-05-28T21:08:29.624064Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error **User does not exist**. If the password is incorrect application gives the error **Invalid password**. Version 0.4.7 fixes this issue.

References

Affected packages

Git / github.com/icewhaletech/casaos-userservice

Affected ranges

Type
GIT
Repo
https://github.com/icewhaletech/casaos-userservice
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7bd0df6441c25c322460f75c55bf18fe908441f9
Fixed
7bd0df6441c25c322460f75c55bf18fe908441f9
Fixed
c75063d7ca5800948e9c09c0a6efe9809b5d39f7
Fixed
c75063d7ca5800948e9c09c0a6efe9809b5d39f7

Affected versions

v0.*

v0.3.5-alpha1
v0.3.5-alpha2
v0.3.5-alpha3
v0.3.6
v0.3.6-alpha1
v0.3.6-alpha2
v0.3.6-alpha3
v0.3.6-alpha4
v0.3.6-alpha5
v0.3.6-alpha6
v0.3.6-alpha7
v0.3.7
v0.3.7-alpha1
v0.3.7-alpha2
v0.4.0
v0.4.0-alpha1
v0.4.0-alpha2
v0.4.0-alpha3
v0.4.0-alpha4
v0.4.0-alpha5
v0.4.0-alpha6
v0.4.1
v0.4.1-alpha1
v0.4.1-alpha2
v0.4.2
v0.4.2-alpha1
v0.4.4
v0.4.4-2-alpha1
v0.4.4-3-alpha1
v0.4.4-3-alpha2
v0.4.4-3-alpha3
v0.4.4-alpha1
v0.4.4-alpha2
v0.4.4-alpha3
v0.4.4-alpha5
v0.4.4-alpha6
v0.4.4-alpha7
v0.4.4-alpha8
v0.4.5
v0.4.6-alpha1
v0.4.6-alpha2