{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "fixed": "1.7.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3271d956a581a00a7d4080426d5ca8f2c4b06102"
            },
            {
              "fixed": "55c2056068be9f1359e967fcff64db6b7f4d00b5"
            }
          ],
          "repo": "https://github.com/phpipam/phpipam",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.",
  "id": "CVE-2024-0787",
  "modified": "2026-03-10T21:50:37.070857914Z",
  "published": "2024-11-15T11:15:09.213Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/phpipam/phpipam/commit/55c2056068be9f1359e967fcff64db6b7f4d00b5"
    },
    {
      "type": "EVIDENCE",
      "url": "https://huntr.com/bounties/840cb582-1feb-43ab-9cc4-e4b5a63c5bab"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}