CVE-2025-66204
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wbce | cms | 1.6.4 |
| wbce | cms | 1.6.5 |
| wbce | wbce_cms | to 1.6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in WBCE CMS version 1.6.4 allows an attacker to bypass brute-force protection by modifying the 'X-Forwarded-For' HTTP header on each request. The application fully trusts this header without validation, so the attacker can reset the brute-force counter indefinitely, enabling unlimited password guessing attempts.
How can this vulnerability impact me? :
The vulnerability allows attackers to perform unlimited password guessing attempts, increasing the risk of unauthorized access to user accounts or administrative functions. This can lead to account compromise, data breaches, and potential control over the CMS.
What immediate steps should I take to mitigate this vulnerability?
Upgrade WBCE CMS to version 1.6.5 or later, as this version contains the fix for the brute-force protection bypass vulnerability. Until the upgrade can be applied, consider implementing network-level controls to validate or restrict the use of the X-Forwarded-For header to prevent attackers from resetting the brute-force counter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unlimited brute-force password guessing attempts due to bypassing brute-force protection, which could lead to unauthorized access to user accounts, including administrator accounts. This unauthorized access risk can result in potential exposure or compromise of personal or sensitive data managed by WBCE CMS. Such a risk may negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require adequate protection of personal data and access controls to prevent unauthorized access. However, the provided resources do not explicitly discuss compliance implications. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring login attempts and checking for unusual patterns in the 'X-Forwarded-For' HTTP header, such as rapidly changing or spoofed IP addresses in login requests. Since the application trusts this header for IP-based brute-force protection, an attacker manipulating it will cause many login attempts with different 'X-Forwarded-For' values from the same source. To detect this, you can capture and analyze HTTP requests to the WBCE CMS login endpoint, looking for multiple login attempts with varying 'X-Forwarded-For' headers from the same client IP. Example commands using tcpdump and grep to capture and filter such requests could be: 1. Capture HTTP traffic on port 80 or 443 (adjust interface and port as needed): sudo tcpdump -i eth0 -A 'tcp port 80 or tcp port 443' > wbce_login_traffic.log 2. Filter login requests and extract 'X-Forwarded-For' headers: grep -i 'X-Forwarded-For' wbce_login_traffic.log | sort | uniq -c | sort -nr 3. Alternatively, use tools like Wireshark to inspect HTTP headers for multiple distinct 'X-Forwarded-For' values in login attempts. 4. You can also write scripts to parse web server logs (if they log 'X-Forwarded-For') to identify many different IPs in that header associated with failed login attempts. Detecting this behavior indicates potential exploitation of the vulnerability. [1]