从这个网页截图中,可以获取到以下关于漏洞的关键信息: 1. 漏洞描述: - 标题:Username Enumeration via API Responses in ZimaOS - 发布者:LinkLeong - CVE编号:CVE-2024-49358 - 严重性:Moderate (5.3/10) - 描述:API endpoint in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be exploited for username enumeration, allowing attackers to determine whether a user exists in the system or not. 2. 漏洞细节: - 漏洞原因:The vulnerability arises due to differing error messages returned by the API when invalid usernames and incorrect passwords are provided. - PoC: 1. Send a POST request to the login endpoint with a valid username but an incorrect password. 2. Send another POST request with a non-existent username. 3. 影响: - User Enumeration: Attackers can collect valid usernames for use in future attacks, such as password brute-forcing or credential stuffing. - Targeted Attacks: With knowledge of valid usernames, attackers can focus their efforts on known users, increasing the success rate of other attacks, including phishing or account takeover. 4. 推荐修复: - Return a generic error message for both incorrect usernames and passwords, such as "Invalid username or password," regardless of the actual error. 5. 可能的修复代码: - Before: - After: 6. 日志和监控: - Log failed login attempts and generate alerts for suspicious activity, such as a high volume of failed logins.