Zimaos
CVE-2024-48932
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http://<Server-ip>/v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available.
AnalysisAI
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-284. ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http://<Server-ip>/v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available. Affected products include: Zimaspace Zimaos.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not p
ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions
ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV
Server-side request forgery (SSRF) in ZimaOS web interface allows unauthenticated remote attackers to access internal lo
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today