Skip to main content

Zimaos CVE-2024-48931

HIGH
Path Traversal (CWE-22)
2024-10-24 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 24, 2024 - 21:15 nvd
HIGH 7.5

DescriptionNVD

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path> is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files parameter, authenticated users can read sensitive system files, including /etc/shadow, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise. The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the files parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory. As of time of publication, no known patched versions are available.

AnalysisAI

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path> is vulnerable to arbitrary file reading due to improper input validation. By manipulating the files parameter, authenticated users can read sensitive system files, including /etc/shadow, which contains password hashes for all users. This vulnerability exposes critical system data and poses a high risk for privilege escalation or system compromise. The vulnerability occurs because the API endpoint does not validate or restrict file paths provided via the files parameter. An attacker can exploit this by manipulating the file path to access sensitive files outside the intended directory. As of time of publication, no known patched versions are available. Affected products include: Zimaspace Zimaos. Version information: version 1.2.4.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

More in Zimaos

View all
CVE-2026-21891 CRITICAL POC
9.4 Jan 08

ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not p

CVE-2026-28286 HIGH POC
8.5 Mar 02

ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions

CVE-2026-28442 HIGH POC
8.5 Mar 05

ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass

CVE-2024-49359 HIGH POC
7.5 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS

CVE-2024-49357 HIGH POC
7.5 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS

CVE-2025-64427 HIGH POC
7.1 Mar 02

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]

CVE-2024-49358 MEDIUM POC
5.3 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

CVE-2024-48932 MEDIUM POC
5.3 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

CVE-2025-58432 MEDIUM POC
5.2 Sep 17

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

CVE-2026-28798 CRITICAL
9.0 Apr 03

Server-side request forgery (SSRF) in ZimaOS web interface allows unauthenticated remote attackers to access internal lo

CVE-2025-58431 MEDIUM POC
4.8 Sep 17

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

Share

CVE-2024-48931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy