Unrated severityNVD Advisory· Published Oct 24, 2024· Updated Nov 5, 2025
ZimaOS Unauthenticated API Discloses Usernames
CVE-2024-48932
Description
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint http:///v1/users/name allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: < 1.5.0
Patches
Vulnerability mechanics
References
3- github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-57r9-43pc-gcp2mitrex_refsource_MISC
- github.com/IceWhaleTech/ZimaOS/security/advisories/GHSA-9mrr-px2c-w42cmitrex_refsource_CONFIRM
- youtu.be/wJFq8cuyFm4mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.