Djnnvx

**Name of the Vulnerable Software and Affected Versions** People versions prior to 1.25.0 **Description** An issue in the application allows a user with the Administrator role on a mail domain to promote any existing user, including those without current domain access, to the Owner role. This is achieved by sending a crafted invitation request via a single authenticated HTTP request, granting full domain ownership immediately without requiring acceptance from the target user. **Recommendations** Update to version 1.25.0.

**Name of the Vulnerable Software and Affected Versions** HomeBox versions prior to 0.24.0 **Description** HomeBox, a home inventory and organization system, has an issue where the authentication rate limiter (`authRateLimiter`) incorrectly identifies client IP addresses. The rate limiter uses the `X-Real-IP` header, the first entry in the `X-Forwarded-For` header, and the TCP connection address (`r.RemoteAddr`) to track failed login attempts per client. An attacker connecting directly to HomeBox can manipulate the `X-Real-IP` header to bypass the rate limiting mechanism and obtain a new identity with each request. The `TrustProxy` configuration option (`Options.TrustProxy`) is not utilized by the rate limiter or any middleware. The `middleware.RealIP` function in `main.go` unconditionally overwrites `r.RemoteAddr` with the forged header value. The API endpoint used for authentication is not explicitly mentioned, but the issue affects the rate limiting of authentication attempts. The vulnerable parameters are `X-Real-IP` and `X-Forwarded-For`. **Recommendations** Update to version 0.24.0 or later.