| Title | GitHub OpnForm 1.9.3 Authentication Bypass by Spoofing |
|---|
| Description | Title: Login Form Susceptible to Brute-Force Protection Bypass
Description: Brute-force protections can be bypassed by adding an X-Forwarded-For header, spoofing the attacker’s IP address.
The vulnerability has confirmed by the vendor to have been patched in v1.9.3 main branch with commit 11e99960e14ca986b1a001a56e7533223d2cfa5b.
Please see the attached Google Doc link for more information under 8. Login Form Susceptible to Brute-Force Protection Bypass and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: https://github.com/JhumanJ/OpnForm/pull/900/commits/11e99960e14ca986b1a001a56e7533223d2cfa5b |
|---|
| Source | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.va2ituwwqcf3 |
|---|
| User | balejin (UID 89385) |
|---|
| Submission | 10/01/2025 21:09 (9 months ago) |
|---|
| Moderation | 10/07/2025 15:17 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327378 [JhumanJ OpnForm up to 1.9.3 HTTP Header X-Forwarded-For excessive authentication] |
|---|
| Points | 20 |
|---|