IP Whitelist Bypass in Knock Knock Plugin for Craft CMS
CVE-2020-13485

9.1CRITICAL

Key Information:

Vendor: Verbb
Status: Knock Knock
Vendor: CVE Published:; 25 May 2020

What is CVE-2020-13485?

The Knock Knock plugin for Craft CMS prior to version 1.2.8 contains a vulnerability that enables an attacker to bypass the IP Whitelist through manipulation of the X-Forwarded-For HTTP header. This can potentially allow unauthorized access to the application, compromising its integrity and security. It is crucial for users of the plugin to update to the latest versions to mitigate risks associated with this vulnerability.

References

https://github.com/verbb/knock-knock/blob/craft-3/CHANGEL...

x_refsource_MISC

https://limpidsecurity.pl/security-advisories/1/knock-kno...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2020
Vulnerability Reserved
May 25, 2020

CVE-2020-13485 Data

JSON

Verbb

What is CVE-2020-13485?

References

CVSS V3.1

Timeline