| id: GO-2024-2668 |
| modules: |
| - module: github.com/IceWhaleTech/CasaOS-UserService |
| versions: |
| - fixed: 0.4.8 |
| vulnerable_at: 0.4.7 |
| packages: |
| - package: github.com/IceWhaleTech/CasaOS-UserService/route/v1 |
| symbols: |
| - PostUserLogin |
| summary: Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService |
| description: |- |
| The Casa OS Login page has a username enumeration vulnerability in the login |
| page that was patched in Casa OS v0.4.7. The issue exists because the |
| application response differs depending on whether the username or password is |
| incorrect, allowing an attacker to enumerate usernames by observing the |
| application response. For example, if the username is incorrect, the application |
| returns "User does not exist" with return code "10006", while if the password is |
| incorrect, it returns "User does not exist or password is invalid" with return |
| code "10013". This allows an attacker to determine if a username exists without |
| knowing the password. |
| cves: |
| - CVE-2024-28232 |
| ghsas: |
| - GHSA-hcw2-2r9c-gc6p |
| credits: |
| - DrDark1999 |
| references: |
| - fix: https://github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb |
| review_status: REVIEWED |