VYPR

CWE-348

Use of Less Trusted Source

BaseDraft

Description

The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-141 · CAPEC-142 · CAPEC-73 · CAPEC-76 · CAPEC-85

CVEs mapped to this weakness (35)

page 2 of 2
  • CVE-2022-4534MedOct 8, 2024
    risk 0.27cvss 5.3epss 0.00

    The Limit Login Attempts (Spam Protection) plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.3. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions.…

  • CVE-2024-6171MedJul 9, 2024
    risk 0.27cvss 5.3epss 0.00

    The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 1.5.112 due to insufficient IP address validation and/or use of user-supplied HTTP headers as a primary method…

  • CVE-2025-58422LowSep 8, 2025
    risk 0.20cvss 3.1epss 0.00

    RICOH Streamline NX versions 3.5.1 to 24R3 are vulnerable to tampering with operation history. If an attacker can perform a man-in-the-middle attack, they may alter the values of HTTP requests, which could result in tampering with the operation history of the product’s…

  • CVE-2025-24856MedMar 16, 2025
    risk 0.20cvss 4.2epss 0.00

    An issue was discovered in the oidc (aka OpenID Connect Authentication) extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: (1) an attacker…

  • CVE-2023-2897LowJun 9, 2023
    risk 0.17cvss 3.7epss 0.00

    The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses…

  • CVE-2025-48825LowJun 13, 2025
    risk 0.16cvss 2.5epss 0.00

    RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.7.0 contains an issue with use of less trusted source, which may allow an attacker who can conduct a man-in-the-middle attack to eavesdrop upgrade requests and execute a malicious DLL with custom code.

  • CVE-2026-41403LowApr 28, 2026
    risk 0.12cvss 2.9epss 0.00

    OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local…

  • CVE-2026-54289Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with `Headers.set` instead of `Headers.append`, so every value overwrites the previous one and only the last reaches the…

  • CVE-2026-48061Jun 10, 2026
    risk 0.00cvss epss 0.00

    ### Summary `AllowedHostsMiddleware` trusts the `X-Forwarded-Host` header as a fallback when the `Host` header is absent. Since `X-Forwarded-Host` is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the `Host` header and supplying an…

  • CVE-2026-33690Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged…

  • CVE-2025-48865May 30, 2025
    risk 0.00cvss epss 0.01

    Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like…

  • CVE-2024-47880Oct 24, 2024
    risk 0.00cvss epss 0.00

    OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to…

  • CVE-2024-45410Sep 19, 2024
    risk 0.00cvss epss 0.02

    Traefik is a golang, Cloud Native Application Proxy. When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible…

  • CVE-2024-44930Aug 29, 2024
    risk 0.00cvss epss 0.00

    Serilog before v2.1.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.

  • CVE-2023-37265Jul 17, 2023
    risk 0.00cvss epss 0.06

    CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This…