AttackerKBAKB:28D6A5E1-DA51-4967-AF7F-E98061A68EB3CVE-2019-17240
0.096 Low
EPSS
Percentile
94.8%
bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.
Recent assessments:
noraj at May 08, 2021 7:26pm UTC reported:
This is just a security bypass allowing an attacker to perform a brute-force attack on the authentication form without being blocked after 10 attemps.
So 9.8 CVSS score is way too high for this vuln.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4
References
packetstormsecurity.com/files/158875/Bludit-3.9.2-Authentication-Bruteforce-Mitigation-Bypass.html
packetstormsecurity.com/files/159664/Bludit-3.9.2-Bruteforce-Mitigation-Bypass.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17240
github.com/bludit/bludit/pull/1090
github.com/noraj/Bludit-auth-BF-bypass
rastating.github.io/bludit-brute-force-mitigation-bypass
rastating.github.io/bludit-brute-force-mitigation-bypass/
Related
