cve/CVE-2024-49357.md at main

admin/cve

Fork 0

mirror of https://github.com/0xMarcio/cve.git synced 2025-11-28 18:48:49 +00:00

0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09

2025-09-29 21:09:30 +02:00

1.4 KiB

Raw Permalink Blame History

CVE-2024-49357

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json and http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.

POC

Reference

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-hg2h-q5h6-r5c4
https://youtu.be/H_WoqzM-9Cc

Github

https://github.com/fkie-cad/nvd-json-data-feeds

1.4 KiB Raw Permalink Blame History

CVE-2024-49357

Description

POC

Reference

Github

1.4 KiB

Raw Permalink Blame History