bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.
Recent assessments:
noraj at May 08, 2021 7:26pm UTC reported:
This is just a security bypass allowing an attacker to perform a brute-force attack on the authentication form without being blocked after 10 attemps.
So 9.8 CVSS score is way too high for this vuln.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4
packetstormsecurity.com/files/158875/Bludit-3.9.2-Authentication-Bruteforce-Mitigation-Bypass.html
packetstormsecurity.com/files/159664/Bludit-3.9.2-Bruteforce-Mitigation-Bypass.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17240
github.com/bludit/bludit/pull/1090
github.com/noraj/Bludit-auth-BF-bypass
rastating.github.io/bludit-brute-force-mitigation-bypass
rastating.github.io/bludit-brute-force-mitigation-bypass/