Описание
Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
In the login API, an IP address will by default be blocked when the user tries to login incorrectly more than 5 times. However, a bypass to this mechanism is possible by abusing a X-Forwarded-For header to bypass IP detection and perform a password brute-force. A patch for this issue is available in Microweber version 1.2.21.
Пакеты
Наименование
microweber/microweber
composer
Затронутые версииВерсия исправления
< 1.2.21
1.2.21
Связанные уязвимости
CVSS3: 6.5
nvd
больше 3 лет назад
Authentication Bypass by Spoofing in GitHub repository microweber/microweber prior to 1.2.20.