blob: 87a8f01384dcd6256d84bfbb32274986eb137121 [file] [log] [blame]
id: GO-2024-2668
modules:
- module: github.com/IceWhaleTech/CasaOS-UserService
versions:
- fixed: 0.4.8
vulnerable_at: 0.4.7
packages:
- package: github.com/IceWhaleTech/CasaOS-UserService/route/v1
symbols:
- PostUserLogin
summary: Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService
description: |-
The Casa OS Login page has a username enumeration vulnerability in the login
page that was patched in Casa OS v0.4.7. The issue exists because the
application response differs depending on whether the username or password is
incorrect, allowing an attacker to enumerate usernames by observing the
application response. For example, if the username is incorrect, the application
returns "User does not exist" with return code "10006", while if the password is
incorrect, it returns "User does not exist or password is invalid" with return
code "10013". This allows an attacker to determine if a username exists without
knowing the password.
cves:
- CVE-2024-28232
ghsas:
- GHSA-hcw2-2r9c-gc6p
credits:
- DrDark1999
references:
- fix: https://github.com/IceWhaleTech/CasaOS-UserService/commit/dd927fe1c805e53790f73cfe10c7a4ded3bc5bdb
review_status: REVIEWED