CVE-2024-54450

CRITICAL Year: 2024
CVSS v3 Score
9.4
Critical
Weakness Type
CWE-290
View all →

Vulnerability Description

An issue was discovered in Kurmi Provisioning Suite 7.9.0.33. If an X-Forwarded-For header is received during authentication, the Kurmi application will record the (possibly forged) IP address mentioned in that header rather than the real IP address that the user logged in from. This fake IP address can later be displayed in the My Account popup that shows the IP address that was used to log in.

Related Vulnerabilities

CVE-2024-32977

CRITICAL
CVSS:9.4(Critical)

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely ...

CWE-2902024

CVE-2025-25182

CRITICAL
CVSS:9.4(Critical)

Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authenti...

CWE-2902025

CVE-2022-31149

CRITICAL
CVSS:9.6(Critical)

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker f...

CWE-2902022

CVE-2024-12108

CRITICAL
CVSS:9.6(Critical)

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.

CWE-2902024

CVE-2024-23674

CRITICAL
CVSS:9.6(Critical)

The Online-Ausweis-Funktion eID scheme in the German National Identity card through 2024-02-15 allows authentication bypass by spoofing. A man-in-the-middle attacker can assume a victim's identify for...

CWE-2902024

CVE-2017-14487

CRITICAL
CVSS:9.1(Critical)

The OhMiBod Remote app for Android and iOS allows remote attackers to impersonate users by sniffing network traffic for search responses from the OhMiBod API server and then editing the username, user...

CWE-2902017