CVE-2024-0787

Public Exploit
Improper Restriction of Excessive Authentication Attempts in phpipam/phpipam

Description

phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.

Category

5.9
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 3.0 •
EPSS 0.06%
Third-Party Advisory huntr.com
Affected: phpipam phpipam/phpipam
Published at:
Updated at:

References

Link Tags
https://huntr.com/bounties/840cb582-1feb-43ab-9cc4-e4b5a63c5bab third party advisory exploit
https://github.com/phpipam/phpipam/commit/55c2056068be9f1359e967fcff64db6b7f4d00b5 patch

Frequently Asked Questions

What is the severity of CVE-2024-0787?
CVE-2024-0787 has been scored as a medium severity vulnerability.
How to fix CVE-2024-0787?
To fix CVE-2024-0787, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-0787 being actively exploited in the wild?
It is possible that CVE-2024-0787 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-0787?
CVE-2024-0787 affects phpipam phpipam/phpipam.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.