Summary
Regression of GHSA-9mrr-px2c-w42c in ZimaOS 1.5.0
• The API endpoint http://Server-ip/v1/users/name allows unauthenticated users to access usernames, without any authorization.
• This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns.
Details
• ZimaOS API still reveals usernames to unauthenticated users.
• Affected versions confirmed: 1.5.0
• GHSA-9mrr-px2c-w42c indicates the issue was fixed in 1.2.5.
Environment
• Network: Reproduced on LAN and via Tailscale (remote host connected to tailnet; no reverse proxy in path)
• Client: Private browser window to ensure no cookies; shell PoC below also clears cookies/headers
• Verified via CLI: curl -sS -D- -H 'Cookie:' -H 'Authorization:' http://Server-ip/v1/users/name
PoC
• Send a request to the endpoint: http://Server-ip/v1/users/name
• Expected response:: 401 Unauthorized or 403 Forbidden
• Actual response: {"success":200,"message":"ok","data":["John Doe"]}
Video PoC
• https://youtu.be/ieJnMx5EHFo
Impact
• User Enumeration: Attackers can gather usernames, which can then be used for password brute-forcing or targeted phishing attacks.
• Further Exploitation: This issue can lead to other vulnerabilities being more easily exploited, especially if username-based access controls exist elsewhere in the application.
Scope
• Reproducible on LAN and via Tailscale.
• Verified using a private browser session and stateless curl requests.
Timeline
• Discovery: 10/10/2025
• This report: 10/10/2025
Disclosure & Requests
• Please treat this as a private report and confirm receipt.
• Kindly confirm affected version range and remediation plan.
• Upon fix, please credit me as the reporter and (if appropriate) update/publish the CVE in the GitHub Security Advisory.
Reporter
xobash
xobash Reporter
DrDark1999 Reporter
Summary
Regression of GHSA-9mrr-px2c-w42c in ZimaOS 1.5.0
• The API endpoint http://Server-ip/v1/users/name allows unauthenticated users to access usernames, without any authorization.
• This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns.
Details
• ZimaOS API still reveals usernames to unauthenticated users.
• Affected versions confirmed: 1.5.0
• GHSA-9mrr-px2c-w42c indicates the issue was fixed in 1.2.5.
Environment
• Network: Reproduced on LAN and via Tailscale (remote host connected to tailnet; no reverse proxy in path)
• Client: Private browser window to ensure no cookies; shell PoC below also clears cookies/headers
• Verified via CLI: curl -sS -D- -H 'Cookie:' -H 'Authorization:' http://Server-ip/v1/users/name
PoC
• Send a request to the endpoint: http://Server-ip/v1/users/name
• Expected response:: 401 Unauthorized or 403 Forbidden
• Actual response: {"success":200,"message":"ok","data":["John Doe"]}
Video PoC
Impact
• User Enumeration: Attackers can gather usernames, which can then be used for password brute-forcing or targeted phishing attacks.
• Further Exploitation: This issue can lead to other vulnerabilities being more easily exploited, especially if username-based access controls exist elsewhere in the application.
Scope
• Reproducible on LAN and via Tailscale.
• Verified using a private browser session and stateless curl requests.
Timeline
• Discovery: 10/10/2025
• This report: 10/10/2025
Disclosure & Requests
• Please treat this as a private report and confirm receipt.
• Kindly confirm affected version range and remediation plan.
• Upon fix, please credit me as the reporter and (if appropriate) update/publish the CVE in the GitHub Security Advisory.
Reporter
xobash