cve/CVE-2024-49358.md at cb00e1339f55f9551dd27140c9ce222c7fab7101

admin/cve

mirror of https://github.com/0xMarcio/cve.git synced 2025-11-30 18:56:19 +00:00

0xMarcio cb00e1339f Update CVE list 2025-09-29 21:09

2025-09-29 21:09:30 +02:00

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http://<Server-IP>/v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be exploited for username enumeration, allowing attackers to determine whether a user exists in the system or not. Attackers can leverage this information in further attacks, such as credential stuffing or targeted password brute-forcing. As of time of publication, no known patched versions are available.

POC

Reference

https://github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-3f6g-8r88-3mx5
https://youtu.be/BClx2u8DMfM

Github

https://github.com/fkie-cad/nvd-json-data-feeds

1.3 KiB Raw Blame History

CVE-2024-49358

Description

POC

Reference

Github

1.3 KiB

Raw Blame History