Search
Total
189 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49792 | 1 Nextcloud | 1 Nextcloud Server | 2024-01-03 | N/A | 9.8 CRITICAL |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-27172 | 1 Xpand-it | 1 Write-back Manager | 2024-01-02 | N/A | 9.1 CRITICAL |
| Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens. This allows attackers to easily obtain the secret key used to sign JWT tokens via a bruteforce attack. | |||||
| CVE-2023-6928 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2023-12-29 | N/A | 9.8 CRITICAL |
| EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system. | |||||
| CVE-2023-6912 | 1 M-files | 1 M-files Server | 2023-12-28 | N/A | 9.8 CRITICAL |
| Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords. | |||||
| CVE-2023-6272 | 1 Thememylogin | 1 2fa | 2023-12-22 | N/A | 9.8 CRITICAL |
| The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits. | |||||
| CVE-2023-3605 | 1 Phpgurukul | 1 Online Shopping Portal | 2023-12-22 | N/A | 9.1 CRITICAL |
| A vulnerability was found in PHPGurukul Online Shopping Portal 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Registration Page. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-233467. | |||||
| CVE-2023-50444 | 1 Primx | 3 Zed\!, Zedmail, Zonecentral | 2023-12-20 | N/A | 7.5 HIGH |
| By default, .ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; and ZED! for Windows, Mac, Linux before 2023.5 include an encrypted version of sensitive user information, which could allow an unauthenticated attacker to obtain it via brute force. | |||||
| CVE-2023-49278 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 5.3 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. | |||||
| CVE-2023-6756 | 1 Thecosy | 1 Icecms | 2023-12-15 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Thecosy IceCMS 2.0.1. It has been classified as problematic. Affected is an unknown function of the file /login of the component Captcha Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247884. | |||||
| CVE-2023-35039 | 1 Bedevious | 1 Password Reset With Code For Wordpress Rest Api | 2023-12-12 | N/A | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15. | |||||
| CVE-2023-49443 | 1 Html-js | 1 Doracms | 2023-12-11 | N/A | 9.8 CRITICAL |
| DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack. | |||||
| CVE-2023-24051 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2023-12-08 | N/A | 9.8 CRITICAL |
| A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks. | |||||
| CVE-2023-48028 | 1 Kodcloud | 1 Kodbox | 2023-11-25 | N/A | 9.8 CRITICAL |
| kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack. | |||||
| CVE-2023-41270 | 1 Samsung | 2 Ue40d7000, Ue40d7000 Firmware | 2023-11-14 | N/A | 4.3 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools. | |||||
| CVE-2023-4625 | 1 Mitsubishielectric | 126 Fx5s-30mr\/es, Fx5s-30mr\/es Firmware, Fx5s-30mt\/es and 123 more | 2023-11-14 | N/A | 5.3 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login. | |||||
| CVE-2023-41350 | 1 Nokia | 2 G-040w-q, G-040w-q Firmware | 2023-11-13 | N/A | 9.8 CRITICAL |
| Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks. | |||||
| CVE-2023-40706 | 1 Opto22 | 2 Snap Pac S1, Snap Pac S1 Firmware | 2023-08-29 | N/A | 9.8 CRITICAL |
| There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login. | |||||
| CVE-2023-26271 | 1 Ibm | 1 Guardium Cloud Key Manager | 2023-08-29 | N/A | 7.5 HIGH |
| IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 248126. | |||||
| CVE-2022-43904 | 1 Ibm | 1 Security Guardium | 2023-08-29 | N/A | 7.5 HIGH |
| IBM Security Guardium 11.3 and 11.4 could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts. IBM X-Force ID: 240895. | |||||
| CVE-2023-26756 | 1 Revive | 1 Adserver | 2023-08-17 | N/A | 7.5 HIGH |
| The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. | |||||
| CVE-2023-39958 | 1 Nextcloud | 1 Nextcloud Server | 2023-08-16 | N/A | 5.3 MEDIUM |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-21709 | 1 Microsoft | 1 Exchange Server | 2023-08-10 | N/A | 9.8 CRITICAL |
| Microsoft Exchange Server Elevation of Privilege Vulnerability | |||||
| CVE-2023-3669 | 1 Codesys | 1 Development System | 2023-08-08 | N/A | 3.3 LOW |
| A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog. | |||||
| CVE-2021-22640 | 1 Ovarro | 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more | 2023-08-08 | N/A | 9.8 CRITICAL |
| An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks. | |||||
| CVE-2022-22487 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Server, Linux Kernel and 1 more | 2023-08-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. A remote attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to both the IBM Spectrum Protect storage agent and the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 with which it communicates. IBM X-Force ID: 226326. | |||||
| CVE-2022-30305 | 1 Fortinet | 2 Fortideceptor, Fortisandbox | 2023-08-08 | N/A | 7.5 HIGH |
| An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts. | |||||
| CVE-2022-22485 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Operations Center, Linux Kernel and 1 more | 2023-08-08 | 7.5 HIGH | 9.8 CRITICAL |
| In some cases, an unsuccessful attempt to log into IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14.000 does not cause the administrator's invalid sign-on count to be incremented on the IBM Spectrum Protect Server. An attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to the IBM Spectrum Protect Server. IBM X-Force ID: 226325. | |||||
| CVE-2023-32657 | 1 Weintek | 1 Weincloud | 2023-07-26 | N/A | 7.5 HIGH |
| Weintek Weincloud v0.13.6 could allow an attacker to efficiently develop a brute force attack on credentials with authentication hints from error message responses. | |||||
| CVE-2022-31234 | 1 Dell | 10 Emc Powerstore 1200t, Emc Powerstore 1200t Firmware, Emc Powerstore 3200t and 7 more | 2022-07-30 | N/A | 9.8 CRITICAL |
| Dell EMC PowerStore, contain(s) an Improper Restriction of Excessive Authentication Attempts Vulnerability in PowerStore Manager GUI. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | |||||
| CVE-2022-24689 | 1 Dsk | 1 Dsknet | 2022-07-28 | N/A | 5.3 MEDIUM |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts. | |||||
| CVE-2022-22452 | 2 Ibm, Linux | 2 Security Verify Governance, Linux Kernel | 2022-07-20 | N/A | 7.5 HIGH |
| IBM Security Verify Identity Manager 10.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 224918. | |||||
| CVE-2022-2321 | 1 Heroiclabs | 1 Nakama | 2022-07-14 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks. | |||||
| CVE-2021-20415 | 1 Ibm | 1 Guardium Data Encryption | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Guardium Data Encryption (GDE) 4.0.0.4 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 196217. | |||||
| CVE-2018-19021 | 1 Emerson | 1 Deltav | 2022-07-12 | 3.3 LOW | 6.5 MEDIUM |
| A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service. | |||||
| CVE-2020-18698 | 1 Talelin | 1 Lin-cms-flask | 2022-07-10 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'. | |||||
| CVE-2022-22496 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Server, Linux Kernel and 1 more | 2022-07-08 | 3.3 LOW | 6.5 MEDIUM |
| While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. While in this mode, it may be susceptible to an offline dictionary attack. IBM X-Force ID: 226942. | |||||
| CVE-2022-31273 | 1 17ido | 1 Topidp3000 Topsec Operating System | 2022-06-23 | 5.0 MEDIUM | 9.8 CRITICAL |
| An issue in TopIDP3000 Topsec Operating System tos_3.3.005.665b.15_smpidp allows attackers to perform a brute-force attack via a crafted session_id cookie. | |||||
| CVE-2022-28384 | 1 Verbatim | 4 Keypad Secure Usb 3.2 Gen 1, Keypad Secure Usb 3.2 Gen 1 Firmware, Store \'n\' Go Secure Portable Hdd and 1 more | 2022-06-21 | 2.1 LOW | 5.5 MEDIUM |
| An issue was discovered in certain Verbatim drives through 2022-03-31. Due to an insecure design, they allow an offline brute-force attack for determining the correct passcode, and thus gaining unauthorized access to the stored encrypted data. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0. | |||||
| CVE-2022-28386 | 1 Verbatim | 4 Gd25lk01-3637-c, Gd25lk01-3637-c Firmware, Keypad Secure Usb 3.2 Gen 1 and 1 more | 2022-06-20 | 2.1 LOW | 4.6 MEDIUM |
| An issue was discovered in certain Verbatim drives through 2022-03-31. The security feature for lockout (e.g., requiring a reformat of the drive after 20 failed unlock attempts) does not work as specified. More than 20 attempts may be made. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0. | |||||
| CVE-2022-29084 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2022-06-13 | 10.0 HIGH | 9.8 CRITICAL |
| Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 do not restrict excessive authentication attempts in Unisphere GUI. A remote unauthenticated attacker may potentially exploit this vulnerability to brute-force passwords and gain access to the system as the victim. Account takeover is possible if weak passwords are used by users. | |||||
| CVE-2022-30235 | 1 Schneider-electric | 4 Wiser Smart Eer21000, Wiser Smart Eer21000 Firmware, Wiser Smart Eer21001 and 1 more | 2022-06-13 | 5.0 MEDIUM | 9.8 CRITICAL |
| A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior) | |||||
| CVE-2013-10004 | 1 Telecomsoftware | 2 Samwin Agent, Samwin Contact Center | 2022-06-08 | 5.0 MEDIUM | 9.8 CRITICAL |
| A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-3412 | 1 Redhat | 2 3scale, 3scale Api Management | 2022-06-03 | 5.0 MEDIUM | 7.3 HIGH |
| It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks. | |||||
| CVE-2022-24044 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2022-06-01 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account. | |||||
| CVE-2021-40360 | 1 Siemens | 2 Simatic Pcs 7, Simatic Wincc | 2022-05-20 | 4.0 MEDIUM | 8.8 HIGH |
| A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 19), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The password hash of a local user account in the remote server could be granted via public API to a user on the affected system. An authenticated attacker could brute force the password hash and use it to login to the server. | |||||
| CVE-2022-26519 | 1 Carrier | 2 Hills Comnav, Hills Comnav Firmware | 2022-04-29 | 2.1 LOW | 5.5 MEDIUM |
| There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials. | |||||
| CVE-2020-26556 | 1 Bluetooth | 2 Bluetooth Core Specification, Mesh Profile | 2022-04-29 | 2.9 LOW | 7.5 HIGH |
| Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment. | |||||
| CVE-2020-7995 | 1 Dolibarr | 1 Dolibarr | 2022-04-26 | 10.0 HIGH | 9.8 CRITICAL |
| The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts. | |||||
| CVE-2020-29136 | 1 Cpanel | 1 Cpanel | 2022-04-26 | 4.0 MEDIUM | 6.5 MEDIUM |
| In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575). | |||||
| CVE-2021-25309 | 1 Gigaset | 2 Dx600a, Dx600a Firmware | 2022-04-26 | 5.0 MEDIUM | 9.8 CRITICAL |
| The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks. | |||||