6.5 Medium
AI Score
Confidence
Low
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.005 Low
EPSS
Percentile
75.1%
Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header.
archives.neohapsis.com/archives/bugtraq/2012-04/0135.html
lists.fedoraproject.org/pipermail/package-announce/2012-May/079432.html
lists.fedoraproject.org/pipermail/package-announce/2012-May/079481.html
lists.fedoraproject.org/pipermail/package-announce/2012-May/079604.html
bugzilla.mozilla.org/show_bug.cgi?id=728639