blob: 369f9cf8a8c3adc1a1cb14c7b712ac6b14573900 [file] [log] [blame]
id: GO-2024-2668
modules:
- module: github.com/IceWhaleTech/CasaOS-UserService
versions:
- fixed: 0.4.8
vulnerable_at: 0.4.7
packages:
- package: github.com/IceWhaleTech/CasaOS-UserService/route/v1
symbols:
- PostUserLogin
summary: Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService
description: |-
The Casa OS Login page has a username enumeration vulnerability in the
login page that was patched in Casa OS v0.4.7. The issue exists because
the application response differs depending on whether the username or
password is incorrect, allowing an attacker to enumerate usernames by
observing the application response. For example, if the username is
incorrect, the application returns "User does not exist" with return
code "10006", while if the password is incorrect, it returns
"User does not exist or password is invalid" with return code "10013".
This allows an attacker to determine if a username exists without knowing
the password.
cves:
- CVE-2024-28232
ghsas:
- GHSA-hcw2-2r9c-gc6p
credits:
- DrDark1999
references:
- fix: https://github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb