Vulnerability Report: GO-2024-2668

  • CVE-2024-28232, GHSA-hcw2-2r9c-gc6p
  • Affects: github.com/IceWhaleTech/CasaOS-UserService
  • Published: Apr 02, 2024
  • Modified: Apr 03, 2024

The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.

Affected Packages

Aliases

References

Credits

  • DrDark1999

Feedback

See anything missing or incorrect? Suggest an edit to this report.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.