CVE-2020-13485

CRITICAL

verbb knock_knock < 1.2.8 - IP Whitelist Bypass via X-Forwarded-For Header

Title source: llm

The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.

Core 2

Core References

Release Notes, Third Party Advisory x_refsource_misc

Exploit, Third Party Advisory x_refsource_misc

CVSS v3 9.1

EPSS 0.0135

EPSS Percentile 67.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-697

Status published

Products (2)

verbb/knock-knock 0 - 1.2.8Packagist

verbb/knock_knock < 1.2.8

Published May 25, 2020

Tracked Since Feb 18, 2026