How severe is CVE-2024-49358?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2024-49358?

This is classified as CWE-203, which is a common weakness in software security.

CVE-2024-49358 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Server-IP>/v1/users/login` in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be exploited for username enumeration, allowing attackers to determine whether a user exists in the system or not. Attackers can leverage this information in further attacks, such as credential stuffing or targeted password brute-forcing. As of time of publication, no known patched versions are available.

Related Vulnerabilities

CVE-2013-1422

MEDIUM

CVSS:5.3(Medium)

webcalendar before 1.2.7 shows the reason for a failed login (e.g., "no such user").

CWE-2032013

CVE-2014-4156

MEDIUM

CVSS:5.3(Medium)

Proxmox VE prior to 3.2: 'AccessControl.pm' User Enumeration Vulnerability

CWE-2032014

CVE-2016-9129

MEDIUM

CVSS:5.3(Medium)

Revive Adserver before 3.2.3 suffers from Information Exposure Through Discrepancy. It is possible to check whether or not an email address was associated to one or more user accounts on a target Revi...

CWE-2032016

CVE-2017-5107

MEDIUM

CVSS:5.3(Medium)

A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to extract pixel values from a cross-origin page being iframe'd via a craf...

CWE-2032017

CVE-2017-7006

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows...

CWE-2032017

CVE-2017-8055

MEDIUM

CVSS:5.3(Medium)

WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML-RPC login handler. A login request that contains a blank password sent to the XML-RPC agent in Fireware v11.12.1 and earlier retur...

CWE-2032017