| id: GO-2024-2668 |
| modules: |
| - module: github.com/IceWhaleTech/CasaOS-UserService |
| versions: |
| - fixed: 0.4.8 |
| vulnerable_at: 0.4.7 |
| packages: |
| - package: github.com/IceWhaleTech/CasaOS-UserService/route/v1 |
| symbols: |
| - PostUserLogin |
| summary: Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService |
| description: |- |
| The Casa OS Login page has a username enumeration vulnerability in the |
| login page that was patched in Casa OS v0.4.7. The issue exists because |
| the application response differs depending on whether the username or |
| password is incorrect, allowing an attacker to enumerate usernames by |
| observing the application response. For example, if the username is |
| incorrect, the application returns "User does not exist" with return |
| code "10006", while if the password is incorrect, it returns |
| "User does not exist or password is invalid" with return code "10013". |
| This allows an attacker to determine if a username exists without knowing |
| the password. |
| cves: |
| - CVE-2024-28232 |
| ghsas: |
| - GHSA-hcw2-2r9c-gc6p |
| credits: |
| - DrDark1999 |
| references: |
| - advisory: https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-hcw2-2r9c-gc6p |
| - fix: https://github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb |