CVE-2024-10013
published 2024-11-13CVE-2024-10013: In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization…
PriorityP339high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.22%
12.8th percentile
In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | icewhaletech_casaos-userservice | >= 0 < 0.4.8 | 0.4.8 |
| github.com | icewhaletech_casaos-userservice | >= 0.4.7 < 0.4.8 | 0.4.8 |
| progress | telerik_ui_for_winforms | < 2024.4.1113 | 2024.4.1113 |
| progress_software | telerik_ui_for_winforms | >= 2011.1.315 < 2024.4.1113 | 2024.4.1113 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ghsa7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gxmf-6vg5-f87h: In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024
ghsa_unreviewed·2024-11-13
CVE-2024-10013 [HIGH] CWE-502 GHSA-gxmf-6vg5-f87h: In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024
In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability.
OSV
Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService
osv·2024-04-02
CVE-2024-28232 Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService
Login username enumeration in github.com/IceWhaleTech/CasaOS-UserService
The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.
GHSA
CasaOS Username Enumeration - Bypass of CVE-2024-24766
ghsa·2024-04-01·CVSS 7.5
CVE-2024-28232 [MEDIUM] CWE-204 CasaOS Username Enumeration - Bypass of CVE-2024-24766
CasaOS Username Enumeration - Bypass of CVE-2024-24766
### Summary
The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in `CasaOS v0.4.7`.
### Details
It is observed that the attacker can enumerate the CasaOS username using the application response. If the username is incorrect the application gives the error "**User does not exist**" with success code "**10006**", If the password is incorrect the application gives the error "**User does not exist or password is invalid**" with success code "**10013**".
### PoC
1. If the Username is invalid application gives "User does not exist" with success code "**10006**".
2. If the Password is invalid application gives "**User does not exist or password is invalid**" with success code
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-13
Published