CVE-2024-41432

Name of the Vulnerable Software and Affected Versions Likeshop versions up to 2.5.7.20210811

Description The issue allows an attacker to replace their real IP address with any arbitrary IP address by adding a forged 'X-Forwarded' or 'Client-IP' header to requests. This can be used to bypass account lockout mechanisms during attempts to log into admin accounts, spoof IP addresses in requests sent to the server, and impersonate IP addresses that have logged into user accounts.

Recommendations For versions up to 2.5.7.20210811, consider disabling the ability to add 'X-Forwarded' or 'Client-IP' headers to requests as a temporary workaround until a patch is available. Restrict access to admin accounts and monitor for suspicious activity to minimize the risk of exploitation.