Vulnerability:
IP Whitelist bypass

Product:
Knock Knock Plugin for Craft CMS

Version:
< 1.2.8

Details:
The IP-Whitelist mechanism is improperly designed, as it compares whitelisted IP with X-Forwarded-For header value. The whitelist mechanism may be bypassed by X-Forwarded-For header manipulation.

Technical details:
An example IP address: 4.5.6.7 has been added to the IP whitelist.

request:
response:
request:
response:

Disclosure timeline:
May 19, 2020 - Vendor notification
May 20, 2020 - Vendor fix
May 25, 2020 - Public disclosure