Gallery 2 up to 2.0.2 allows remote attackers to spoof their IP address via a modified X-Forwarded-For (X_FORWARDED_FOR) HTTP header, which is checked by Gallery before other more reliable sources of IP address information, such as REMOTE_ADDR.
Exploitability
AV:NAC:LAu:NImpact
C:PI:PA:N6.4/AV:N/AC:L/Au:N/C:P/I:P/A:N