2024-11-15 10:57:05
@huntr_ai
PUBLISHED
phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the X-Forwarded-For header. The issue lies in the get_user_ip() function in class.Common.php at lines 1044 and 1045, where the presence of the X-Forwarded-For header is checked and used instead of REMOTE_ADDR. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.