Main Vulnerability Database Vulnerabilities #VU19351

Improper Authorization in WPS Limit Login - #VU19351

Published: July 24, 2019

Vulnerability identifier: #VU19351

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: WPServeur, NicolasKulka, benoitgeek

Affected software:
WPS Limit Login

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass the protection.

The vulnerability exists in the "get_address()" method which read the variable "HTTP_X_FORWARDED_FOR". A remote attacker can change the header X-Forwarded-For for each request to always be the first attempt, create an automated brute force on the password and gain unauthorized access to the target system.

Remediation

Install updates from vendor's website.

Sources

https://secupress.me/blog/wps-limit-login-v1-4-5-multiple-vulnerabilities/

Improper Authorization in WPS Limit Login - #VU19351

Detailed vulnerability description

Remediation

Sources

Please verify you're human