CVE-2026-35391 Bulwark Webmail getClientIP() trusted client-controlled X-Forwarded-For value, enabling rate limit bypass and audit log forgery

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP function in lib/admin/session.ts trusted the first leftmost entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to...

IP Address Spoofing

Symfony is vulnerable to IP Address Spoofing The vulnerability is due to the potential manipulation of client IP addresses returned by the Request::getClientIp method for sensitive decisions. It allows malicious actors to manipulate or spoof their IP addresses...

GHSA-HX53-JCHX-CR52 Symfony2 improper IP based access control

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp method when the trust proxy mode is enabled Request::trustProxyData. An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp...

Symfony2 improper IP based access control

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp method when the trust proxy mode is enabled Request::trustProxyData. An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp...

Super cms cross-site scripting vulnerability

Chaojicms is a super Cms website management system. Chaoji CMS version 2.39 is vulnerable to a cross-site scripting vulnerability that allows attackers to execute arbitrary scripts via the getClientIp function in "/lib/tinwin.class.php"...

CVE-2020-19962

A stored cross-site scripting XSS vulnerability in the getClientIp function in /lib/tinwin.class.php of Chaoji CMS 2.39, allows attackers to execute arbitrary web scripts...

Cross site scripting

A stored cross-site scripting XSS vulnerability in the getClientIp function in /lib/tinwin.class.php of Chaoji CMS 2.39, allows attackers to execute arbitrary web scripts...

phpems 多处sql注射

简要描述： phpems 多处sql注射 详细说明： 百度搜索： title:PHPEMS无纸化模拟考试系统 ev.cls.php: public function getClientIp if!isset$this-e'ip' if getenv"HTTPCLIENTIP" && strcasecmpgetenv"HTTPCLIENTIP", "unknown" $ip = getenv"HTTPCLIENTIP"; else if getenv"HTTPXFORWARDEDFOR" && strcasecmpgetenv"HTTPXFORWARDEDFOR", "unknown" $...

Security release: Symfony 2.0.19 and 2.1.4

I've just released Symfony 2.0.19 and 2.1.4. Both releases contain a security fix. Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp method when the trust proxy mode is enabled Request::trustProxyData. An application is...