Icewhaletech
Products
2- 12 CVEs
- 4 CVEs
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-28798 | Cri | 0.52 | 9.0 | 0.00 | Apr 3, 2026 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests… | ||
| CVE-2024-49357 | 0.06 | — | 0.21 | Oct 24, 2024 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http:///v1/users/image?path=/var/lib/casaos/1/app_order.json` and… | |||
| CVE-2026-21891 | 0.01 | — | 0.02 | Jan 8, 2026 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided… | |||
| CVE-2026-28442 | 0.00 | — | 0.00 | Mar 5, 2026 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these… | |||
| CVE-2025-64427 | 0.00 | — | 0.00 | Mar 2, 2026 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g.,… | |||
| CVE-2026-28286 | 0.00 | — | 0.00 | Mar 2, 2026 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting… | |||
| CVE-2025-58432 | 0.00 | — | 0.00 | Sep 17, 2025 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v2_1/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT. | |||
| CVE-2025-58431 | 0.00 | — | 0.00 | Sep 17, 2025 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2_1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT. | |||
| CVE-2024-49359 | 0.00 | — | 0.01 | Oct 24, 2024 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users… | |||
| CVE-2024-49358 | 0.00 | — | 0.00 | Oct 24, 2024 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http:///v1/users/login` in ZimaOS returns distinct responses based on whether a username exists or the password is… | |||
| CVE-2024-48932 | 0.00 | — | 0.01 | Oct 24, 2024 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http:///v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization.… | |||
| CVE-2024-48931 | 0.00 | — | 0.01 | Oct 24, 2024 | ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=&files=<file_path>` is vulnerable to arbitrary file reading due to… | |||
| CVE-2024-28232 | 0.00 | — | 0.01 | Apr 1, 2024 | Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in… | |||
| CVE-2024-24766 | 0.00 | — | 0.01 | Mar 6, 2024 | CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the… | |||
| CVE-2024-24767 | 0.00 | — | 0.01 | Mar 6, 2024 | CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the… | |||
| CVE-2024-24765 | 0.00 | — | 0.01 | Mar 6, 2024 | CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example,… |
- risk 0.52cvss 9.0epss 0.00
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests…
- CVE-2024-49357Oct 24, 2024risk 0.06cvss —epss 0.21
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http:///v1/users/image?path=/var/lib/casaos/1/app_order.json` and…
- CVE-2026-21891Jan 8, 2026risk 0.01cvss —epss 0.02
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided…
- CVE-2026-28442Mar 5, 2026risk 0.00cvss —epss 0.00
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these…
- CVE-2025-64427Mar 2, 2026risk 0.00cvss —epss 0.00
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g.,…
- CVE-2026-28286Mar 2, 2026risk 0.00cvss —epss 0.00
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting…
- CVE-2025-58432Sep 17, 2025risk 0.00cvss —epss 0.00
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v2_1/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT.
- CVE-2025-58431Sep 17, 2025risk 0.00cvss —epss 0.00
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2_1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT.
- CVE-2024-49359Oct 24, 2024risk 0.00cvss —epss 0.01
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users…
- CVE-2024-49358Oct 24, 2024risk 0.00cvss —epss 0.00
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http:///v1/users/login` in ZimaOS returns distinct responses based on whether a username exists or the password is…
- CVE-2024-48932Oct 24, 2024risk 0.00cvss —epss 0.01
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http:///v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization.…
- CVE-2024-48931Oct 24, 2024risk 0.00cvss —epss 0.01
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=&files=<file_path>` is vulnerable to arbitrary file reading due to…
- CVE-2024-28232Apr 1, 2024risk 0.00cvss —epss 0.01
Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in…
- CVE-2024-24766Mar 6, 2024risk 0.00cvss —epss 0.01
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the…
- CVE-2024-24767Mar 6, 2024risk 0.00cvss —epss 0.01
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the…
- CVE-2024-24765Mar 6, 2024risk 0.00cvss —epss 0.01
CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example,…