Zimaos
CVE-2024-49358
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http://<Server-IP>/v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be exploited for username enumeration, allowing attackers to determine whether a user exists in the system or not. Attackers can leverage this information in further attacks, such as credential stuffing or targeted password brute-forcing. As of time of publication, no known patched versions are available.
AnalysisAI
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-203. ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http://<Server-IP>/v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be exploited for username enumeration, allowing attackers to determine whether a user exists in the system or not. Attackers can leverage this information in further attacks, such as credential stuffing or targeted password brute-forcing. As of time of publication, no known patched versions are available. Affected products include: Zimaspace Zimaos. Version information: version 1.2.4.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not p
ZimaOS 1.5.2-beta3 lacks proper path validation in its API, allowing authenticated users to bypass frontend restrictions
ZimaOS 1.5.2-beta3 fails to validate filesystem paths in its API delete endpoint, allowing authenticated users to bypass
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated high severity (CVSS
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. [CVSS 7.1 HIGH]
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV
Server-side request forgery (SSRF) in ZimaOS web interface allows unauthenticated remote attackers to access internal lo
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Rated medium severity (CV
Same weakness CWE-203 – Observable Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today