Search
Total
90 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49792 | 1 Nextcloud | 1 Nextcloud Server | 2024-01-03 | N/A | 9.8 CRITICAL |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-27172 | 1 Xpand-it | 1 Write-back Manager | 2024-01-02 | N/A | 9.1 CRITICAL |
| Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens. This allows attackers to easily obtain the secret key used to sign JWT tokens via a bruteforce attack. | |||||
| CVE-2023-6928 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2023-12-29 | N/A | 9.8 CRITICAL |
| EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system. | |||||
| CVE-2023-6912 | 1 M-files | 1 M-files Server | 2023-12-28 | N/A | 9.8 CRITICAL |
| Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords. | |||||
| CVE-2023-6272 | 1 Thememylogin | 1 2fa | 2023-12-22 | N/A | 9.8 CRITICAL |
| The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits. | |||||
| CVE-2023-3605 | 1 Phpgurukul | 1 Online Shopping Portal | 2023-12-22 | N/A | 9.1 CRITICAL |
| A vulnerability was found in PHPGurukul Online Shopping Portal 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Registration Page. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-233467. | |||||
| CVE-2023-6756 | 1 Thecosy | 1 Icecms | 2023-12-15 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Thecosy IceCMS 2.0.1. It has been classified as problematic. Affected is an unknown function of the file /login of the component Captcha Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247884. | |||||
| CVE-2023-35039 | 1 Bedevious | 1 Password Reset With Code For Wordpress Rest Api | 2023-12-12 | N/A | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15. | |||||
| CVE-2023-49443 | 1 Html-js | 1 Doracms | 2023-12-11 | N/A | 9.8 CRITICAL |
| DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack. | |||||
| CVE-2023-24051 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2023-12-08 | N/A | 9.8 CRITICAL |
| A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks. | |||||
| CVE-2023-48028 | 1 Kodcloud | 1 Kodbox | 2023-11-25 | N/A | 9.8 CRITICAL |
| kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack. | |||||
| CVE-2023-41350 | 1 Nokia | 2 G-040w-q, G-040w-q Firmware | 2023-11-13 | N/A | 9.8 CRITICAL |
| Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks. | |||||
| CVE-2023-40706 | 1 Opto22 | 2 Snap Pac S1, Snap Pac S1 Firmware | 2023-08-29 | N/A | 9.8 CRITICAL |
| There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login. | |||||
| CVE-2023-21709 | 1 Microsoft | 1 Exchange Server | 2023-08-10 | N/A | 9.8 CRITICAL |
| Microsoft Exchange Server Elevation of Privilege Vulnerability | |||||
| CVE-2022-22487 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Server, Linux Kernel and 1 more | 2023-08-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. A remote attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to both the IBM Spectrum Protect storage agent and the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 with which it communicates. IBM X-Force ID: 226326. | |||||
| CVE-2022-22485 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Operations Center, Linux Kernel and 1 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| In some cases, an unsuccessful attempt to log into IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14.000 does not cause the administrator's invalid sign-on count to be incremented on the IBM Spectrum Protect Server. An attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to the IBM Spectrum Protect Server. IBM X-Force ID: 226325. | |||||
| CVE-2021-22640 | 1 Ovarro | 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more | 2023-08-08 | N/A | 9.8 CRITICAL |
| An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks. | |||||
| CVE-2022-31234 | 1 Dell | 10 Emc Powerstore 1200t, Emc Powerstore 1200t Firmware, Emc Powerstore 3200t and 7 more | 2022-07-30 | N/A | 9.8 CRITICAL |
| Dell EMC PowerStore, contain(s) an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | |||||
| CVE-2022-2321 | 1 Heroiclabs | 1 Nakama | 2022-07-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks. | |||||
| CVE-2020-18698 | 1 Talelin | 1 Lin-cms-flask | 2022-07-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'. | |||||
| CVE-2022-31273 | 1 17ido | 1 Topidp3000 Topsec Operating System | 2022-06-23 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue in TopIDP3000 Topsec Operating System tos_3.3.005.665b.15_smpidp allows attackers to perform a brute-force attack via a crafted session_id cookie. | |||||
| CVE-2022-29084 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2022-06-13 | 10.0 HIGH | 9.8 CRITICAL |
| Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 do not restrict excessive authentication attempts in Unisphere GUI. A remote unauthenticated attacker may potentially exploit this vulnerability to brute-force passwords and gain access to the system as the victim. Account takeover is possible if weak passwords are used by users. | |||||
| CVE-2022-30235 | 1 Schneider-electric | 4 Wiser Smart Eer21000, Wiser Smart Eer21000 Firmware, Wiser Smart Eer21001 and 1 more | 2022-06-13 | 5.0 MEDIUM | 9.8 CRITICAL |
| A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) | |||||
| CVE-2013-10004 | 1 Telecomsoftware | 2 Samwin Agent, Samwin Contact Center | 2022-06-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr | 2022-04-26 | 10.0 HIGH | 9.8 CRITICAL |
| The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | |||||
| CVE-2021-25309 | 1 Gigaset | 2 Dx600a, Dx600a Firmware | 2022-04-26 | 5.0 MEDIUM | 9.8 CRITICAL |
| The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks. | |||||
| CVE-2022-22810 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2022-02-16 | 5.0 MEDIUM | 9.8 CRITICAL |
| A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) | |||||
| CVE-2021-43298 | 1 Embedthis | 1 Goahead | 2022-02-01 | 5.0 MEDIUM | 9.8 CRITICAL |
| The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response. | |||||
| CVE-2020-28212 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2022-01-31 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus. | |||||
| CVE-2022-22553 | 1 Dell | 1 Emc Appsync | 2022-01-27 | 7.5 HIGH | 9.8 CRITICAL |
| Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI. An adjacent unauthenticated attacker could potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | |||||
| CVE-2021-41807 | 1 M-files | 2 M-files Server, M-files Web | 2022-01-26 | 5.0 MEDIUM | 9.8 CRITICAL |
| Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | |||||
| CVE-2020-21237 | 1 8cms | 1 Ljcms | 2022-01-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue in the user login box of LJCMS v1.11 allows attackers to hijack user accounts via brute force attacks. | |||||
| CVE-2020-21238 | 1 Chshcms | 1 Cscms | 2022-01-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks. | |||||
| CVE-2021-37934 | 1 Huntflow | 1 Huntflow Enterprise | 2021-12-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. | |||||
| CVE-2021-42544 | 1 Businessdnasolutions | 1 Topease | 2021-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates gaining privileges. | |||||
| CVE-2021-41435 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2021-11-23 | 10.0 HIGH | 9.8 CRITICAL |
| A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request. | |||||
| CVE-2020-14494 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2021-11-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication mechanism within the system that does not provide sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number of attempts. | |||||
| CVE-2021-38474 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface. | |||||
| CVE-2021-28909 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2021-09-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers to access uncontrolled the login service at /webif/SecurityModule in a brute force attack. The password could be weak and default username is known as 'admin'. This is usable and part of an attack chain to gain SSH root access. | |||||
| CVE-2021-28911 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2021-09-20 | 10.0 HIGH | 9.8 CRITICAL |
| BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access. | |||||
| CVE-2021-22915 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2021-09-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection. | |||||
| CVE-2021-32522 | 1 Qsan | 3 Sanos, Storage Manager, Xevo | 2021-09-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN Document. | |||||
| CVE-2020-6875 | 1 Zte | 2 Zxone 19700 Snpe, Zxone 19700 Snpe Firmware | 2021-07-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This affects: <ZXONE 19700 SNPE><ZXONE8700V1.40R2B13_SNPE> | |||||
| CVE-2019-13394 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2021-07-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP. | |||||
| CVE-2020-15786 | 1 Siemens | 8 Simatic Hmi Basic Panels 2nd Generation, Simatic Hmi Basic Panels 2nd Generation Firmware, Simatic Hmi Comfort Panels and 5 more | 2021-06-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions <= V16), SIMATIC HMI Mobile Panels (All versions <= V16), SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. | |||||
| CVE-2021-31646 | 1 Gestsup | 1 Gestsup | 2021-05-04 | 7.5 HIGH | 9.8 CRITICAL |
| Gestsup before 3.2.10 allows account takeover through the password recovery functionality (remote). The affected component is the file forgot_pwd.php - it uses a weak algorithm for the generation of password recovery tokens (the PHP uniqueid function), allowing a brute force attack. | |||||
| CVE-2019-18235 | 1 Advantech | 2 Spectre Rt Ert351, Spectre Rt Ert351 Firmware | 2021-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| Advantech Spectre RT ERT351 Versions 5.1.3 and prior has insufficient login authentication parameters required for the web application may allow an attacker to gain full access using a brute-force password attack. | |||||
| CVE-2021-27514 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2021-02-26 | 7.5 HIGH | 9.8 CRITICAL |
| EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation). | |||||
| CVE-2020-35565 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2021-02-19 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default. | |||||
| CVE-2020-25196 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2020-12-23 | 5.0 MEDIUM | 9.8 CRITICAL |
| The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication. | |||||