.. | |||
README.md | Loading last commit info... |
README.md
Cerber Limit Login Attempts <= 2.0.1.6 - Unauthenticated Stored XSS
Description
If the option "I'm behind a proxy" is enabled, the visitor IP is read from X-Forwarded-For header, stored & printed in the admin panel without any sanitization / validation.
Proof of Concept
Set the X-Forwarded-For header to <script>alert(1)</script>, and perform an incorrect login.