Riclem

Name of the Vulnerable Software and Affected Versions: Pedro Lineu Orso chetcpasswd versions prior to 2.4 Description: The issue allows remote attackers to gain unauthorized access by spoofing the `X-Forwarded-For` HTTP header when verifying a client's status on an IP address ACL. This is due to the software relying on this header for verification. Recommendations: For versions prior to 2.4, consider disabling the use of the `X-Forwarded-For` header in ACL verification until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: chetcpasswd version 2.3.3 Description: The issue allows remote attackers to determine passwords via a dictionary attack because there is no rate limit for client requests. Recommendations: For version 2.3.3, consider implementing a rate limit for client requests to prevent dictionary attacks. As a temporary workaround, restrict access to the service to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: chetcpasswd version 2.3.3 Description: The issue allows remote attackers to determine valid usernames on the system by providing different error messages for requests with valid and invalid usernames. Recommendations: For chetcpasswd version 2.3.3, consider modifying the error handling mechanism to provide generic error messages for both valid and invalid username requests, thereby preventing attackers from determining valid usernames. At the moment, there is no information about a newer version that contains a fix for this vulnerability.