Skip to main content

Zimaos CVE-2024-49357

HIGH
Information Exposure (CWE-200)
2024-10-24 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 24, 2024 - 22:15 nvd
HIGH 7.5

DescriptionNVD

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json and http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available.

AnalysisAI

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json and http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/system.json, expose sensitive data like installed applications and system information without requiring any authentication or authorization. This sensitive data leak can be exploited by attackers to gain detailed knowledge about the system setup, installed applications, and other critical information. As of time of publication, no known patched versions are available. Affected products include: Zimaspace Zimaos. Version information: version 1.2.4.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

More in Zimaos

View all
CVE-2026-21891 CRITICAL POC
9.4 Jan 08

ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not p

CVE-2026-28286 HIGH POC
8.5 Mar 02

ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions

CVE-2026-28442 HIGH POC
8.5 Mar 05

ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass

CVE-2024-49359 HIGH POC
7.5 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS

CVE-2024-48931 HIGH POC
7.5 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS

CVE-2025-64427 HIGH POC
7.1 Mar 02

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]

CVE-2024-49358 MEDIUM POC
5.3 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

CVE-2024-48932 MEDIUM POC
5.3 Oct 24

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

CVE-2025-58432 MEDIUM POC
5.2 Sep 17

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

CVE-2026-28798 CRITICAL
9.0 Apr 03

Server-side request forgery (SSRF) in ZimaOS web interface allows unauthenticated remote attackers to access internal lo

CVE-2025-58431 MEDIUM POC
4.8 Sep 17

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV

Share

CVE-2024-49357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy