VulnerableCode Package Details - pkg:golang/github.com/IceWhaleTech/CasaOS-UserService@0.4.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-kyqj-bbye-e7gc Aliases: CVE-2024-28232 GHSA-hcw2-2r9c-gc6p	Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go's package manager.	0.4.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-kyqj-bbye-e7gc
Aliases:
CVE-2024-28232
GHSA-hcw2-2r9c-gc6p

Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go's package manager.

0.4.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-t75x-s4js-gqa7	CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `User does not exist`. If the password is incorrect application gives the error `Invalid password`. Version 0.4.7 fixes this issue.	CVE-2024-24766 GHSA-c967-2652-gfjm
VCID-tjbj-u5r1-y7bs	CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.	CVE-2024-24767 GHSA-c69x-5xmw-v44x
VCID-y2d5-dzsu-cqcs	CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.	CVE-2024-24765 GHSA-h5gf-cmm8-cg7c

Vulnerability

Summary

Aliases

VCID-t75x-s4js-gqa7

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error `**User does not exist**`. If the password is incorrect application gives the error `**Invalid password**`. Version 0.4.7 fixes this issue.

CVE-2024-24766
GHSA-c967-2652-gfjm

VCID-tjbj-u5r1-y7bs

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue.

CVE-2024-24767
GHSA-c69x-5xmw-v44x

VCID-y2d5-dzsu-cqcs

CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example, the CasaOS user database, and possibly obtain system root privileges. Version 0.4.7 fixes this issue.

CVE-2024-24765
GHSA-h5gf-cmm8-cg7c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T07:42:58.075622+00:00	GithubOSV Importer	Fixing	VCID-tjbj-u5r1-y7bs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-c69x-5xmw-v44x/GHSA-c69x-5xmw-v44x.json	38.6.0
2026-06-12T07:42:54.392834+00:00	GithubOSV Importer	Fixing	VCID-t75x-s4js-gqa7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-c967-2652-gfjm/GHSA-c967-2652-gfjm.json	38.6.0
2026-06-12T07:42:54.007623+00:00	GithubOSV Importer	Fixing	VCID-y2d5-dzsu-cqcs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-h5gf-cmm8-cg7c/GHSA-h5gf-cmm8-cg7c.json	38.6.0
2026-06-12T07:40:29.093408+00:00	GithubOSV Importer	Affected by	VCID-kyqj-bbye-e7gc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-hcw2-2r9c-gc6p/GHSA-hcw2-2r9c-gc6p.json	38.6.0