CVE-2022-2368
MEDIUM6.5EPSS 0.12%Microweber before 1.2.21 allows attacker to bypass IP detection to brute-force password
發布日:2022/7/12修改日:2024/2/16
描述
In the login API, an IP address will by default be blocked when the user tries to login incorrectly more than 5 times. However, a bypass to this mechanism is possible by abusing a X-Forwarded-For header to bypass IP detection and perform a password brute-force. A patch for this issue is available in Microweber version 1.2.21.
受影響套件(1)
- Packagist/microweber/microweberfrom 0, < 1.2.21
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L |