CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6505
https://notcve.org/view.php?id=CVE-2025-6505
29 Jul 2025 — Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. El acceso no autorizado y la suplantación de iden... • https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6505 • CWE-287: Improper Authentication •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6504 – Possibilities of IP Spoofing via X-Forwarded-For (XFF) Header
https://notcve.org/view.php?id=CVE-2025-6504
29 Jul 2025 — In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access. En versiones de HDP Server anteriores a la 4.6.2.2978 en Linux, se podía producir acceso no autorizado... • https://community.progress.com/s/article/DataDirect-Hybrid-Data-Pipeline-Critical-Security-Product-Alert-Bulletin-July-2025---CVE-2025-6504 • CWE-345: Insufficient Verification of Data Authenticity •