Icewhale Casaos-Userservice vulnerabilities

CVE-2024-28232 [HIGH] CVE-2024-28232: Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The C Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in version 0.4.8 but that version has not yet been uploaded to Go's package manager.

CVE-2024-24766 [HIGH] CWE-204 CVE-2024-24766: CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 a CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error