phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.
Metrics
Affected Vendors & Products
References
History
Fri, 15 Nov 2024 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Phpipam
Phpipam phpipam |
|
CPEs | cpe:2.3:a:phpipam:phpipam:*:*:*:*:*:*:*:* | |
Vendors & Products |
Phpipam
Phpipam phpipam |
|
Metrics |
cvssV3_1
|
Fri, 15 Nov 2024 11:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0. | |
Title | Improper Restriction of Excessive Authentication Attempts in phpipam/phpipam | |
Weaknesses | CWE-307 | |
References |
| |
Metrics |
cvssV3_0
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-11-15T10:57:05.410Z
Updated: 2024-11-15T19:09:48.262Z
Reserved: 2024-01-22T17:00:17.923Z
Link: CVE-2024-0787
Vulnrichment
Updated: 2024-11-15T19:09:42.489Z
NVD
Status : Analyzed
Published: 2024-11-15T11:15:09.213
Modified: 2024-11-19T15:53:59.093
Link: CVE-2024-0787
Redhat
No data.