CVE-2025-6504

High CVSS: 8.4

In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header.

Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range.

This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.

Vendor

Progress

Product

Hybrid Data Pipeline

CWE

CWE-345

Yayın Tarihi

2025-07-29 13:15:28

Güncelleme

2025-10-02 17:40:57

Source Identifier

security@progress.com

KEV Date Added

Kategoriler

CWE-345 Hybrid Data Pipeline HIGH Progress 2025

Referanslar

https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504

Benzer Kayıtlar

Medium

CVE-2026-2878

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyn…

High

CVE-2025-13447

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker…

High

CVE-2025-13444

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker…

High

CVE-2025-13774

A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability…

Low

CVE-2025-11235

Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MO…

Medium

CVE-2025-13147

Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before…