La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2020-35590

CVE-2020-35590 – WordPress Plugin Limit Login Attempts Reloaded

Vulnerability Description: Improper Restriction of Excessive Authentication Attempts (Rate Limit Bypass on login page)
Software Version: WordPress Plugin Limit Login Attempts Reloaded versions 2.13.0 – 2.17.3.
NIST
https://nvd.nist.gov/vuln/detail/CVE-2020-35590
CVSv3: 9.8
Severity: Critical
Credits
: Veno Eivazian

LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.