Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-39917

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 Jul, 2024 | 15:24
Updated At-02 Aug, 2024 | 04:33
Rejected At-
Credits

xrdp allows an ininite number of login attempts

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 Jul, 2024 | 15:24
Updated At:02 Aug, 2024 | 04:33
Rejected At:
▼CVE Numbering Authority (CNA)
xrdp allows an ininite number of login attempts

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Affected Products
Vendor
neutrinolabs
Product
xrdp
Versions
Affected
  • <= 0.10.0
Problem Types
TypeCWE IDDescription
CWECWE-307CWE-307: Improper Restriction of Excessive Authentication Attempts
Type: CWE
CWE ID: CWE-307
Description: CWE-307: Improper Restriction of Excessive Authentication Attempts
Metrics
VersionBase scoreBase severityVector
3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
x_refsource_CONFIRM
https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
x_refsource_MISC
Hyperlink: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
neutrinolabs
Product
xrdp
CPEs
  • cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 0.10.0 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
x_refsource_CONFIRM
x_transferred
https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 Jul, 2024 | 16:15
Updated At:05 Sep, 2024 | 15:43

xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
CPE Matches

neutrinolabs
neutrinolabs
>>xrdp>>Versions before 0.10.0(exclusive)
cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Primarynvd@nist.gov
CWE-307Secondarysecurity-advisories@github.com
CWE ID: CWE-307
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-307
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8fsecurity-advisories@github.com
Patch
https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5jsecurity-advisories@github.com
Vendor Advisory
Hyperlink: https://github.com/neutrinolabs/xrdp/commit/19c111c74c913ecc6e4ba9a738ed929a79d2ae8f
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-7w22-h4w7-8j5j
Source: security-advisories@github.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

151Records found

CVE-2021-37934
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.36% / 79.39%
||
7 Day CHG~0.00%
Published-10 Dec, 2021 | 16:39
Updated-04 Aug, 2024 | 01:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.

Action-Not Available
Vendor-huntflown/a
Product-huntflow_enterprisen/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-6272
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-0.41% / 60.31%
||
7 Day CHG~0.00%
Published-18 Dec, 2023 | 20:07
Updated-02 Aug, 2024 | 08:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Theme My Login 2FA < 1.2 - Lack of Rate Limiting

The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.

Action-Not Available
Vendor-thememyloginUnknown
Product-2fatml-2fa
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-5754
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.1||CRITICAL
EPSS-0.08% / 24.37%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 19:47
Updated-16 Jan, 2025 | 21:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in Sielco PolyEco1000

Sielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.

Action-Not Available
Vendor-sielcoSielco
Product-polyeco500polyeco1000polyeco300_firmwarepolyeco300polyeco1000_firmwarepolyeco500_firmwarePolyEco1000
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-30235
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-8.6||HIGH
EPSS-0.34% / 55.82%
||
7 Day CHG~0.00%
Published-02 Jun, 2022 | 22:45
Updated-16 Sep, 2024 | 17:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)

Action-Not Available
Vendor-
Product-wiser_smart_eer21000wiser_smart_eer21001_firmwarewiser_smart_eer21000_firmwarewiser_smart_eer21001Wiser Smart
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-49443
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 22.48%
||
7 Day CHG~0.00%
Published-08 Dec, 2023 | 00:00
Updated-02 Aug, 2024 | 21:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.

Action-Not Available
Vendor-html-jsn/a
Product-doracmsn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-49792
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.35% / 56.98%
||
7 Day CHG~0.00%
Published-22 Dec, 2023 | 16:31
Updated-27 Aug, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bruteforce protection can be bypassed with misconfigured proxy

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serversecurity-advisories
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-14484
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.24% / 46.33%
||
7 Day CHG~0.00%
Published-20 Jul, 2020 | 14:45
Updated-04 Aug, 2024 | 12:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass the system’s account lockout protection, which may allow brute force password attacks.

Action-Not Available
Vendor-openclinic_ga_projectn/a
Product-openclinic_gaOpenClinic GA
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-48028
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 52.54%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 00:00
Updated-29 Aug, 2024 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack.

Action-Not Available
Vendor-kodcloudn/a
Product-kodboxn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-13805
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.01% / 1.98%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 14:40
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. It has brute-force attack mishandling because the CAS service lacks a limit on login failures.

Action-Not Available
Vendor-n/aFoxit Software Incorporated
Product-phantompdfreadern/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-28911
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-2.33% / 84.19%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 17:45
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access.

Action-Not Available
Vendor-bab-technologien/a
Product-eibport_firmwareeibportn/a
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-13835
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 31.18%
||
7 Day CHG~0.00%
Published-04 Jun, 2020 | 17:04
Updated-04 Aug, 2024 | 12:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with O(8.x) (with TEEGRIS) software. The Gatekeeper Trustlet allows a brute-force attack on user credentials. The Samsung ID is SVE-2020-16908 (June 2020).

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CWE ID-CWE-20
Improper Input Validation
CVE-2020-13312
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 30.33%
||
7 Day CHG~0.00%
Published-14 Sep, 2020 | 19:44
Updated-04 Aug, 2024 | 12:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-12645
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.34% / 56.04%
||
7 Day CHG~0.00%
Published-31 Aug, 2020 | 14:28
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.

Action-Not Available
Vendor-n/aOpen-Xchange AG
Product-open-xchange_appsuiten/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-28909
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.76% / 81.85%
||
7 Day CHG~0.00%
Published-09 Sep, 2021 | 17:35
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers to access uncontrolled the login service at /webif/SecurityModule in a brute force attack. The password could be weak and default username is known as 'admin'. This is usable and part of an attack chain to gain SSH root access.

Action-Not Available
Vendor-bab-technologien/a
Product-eibport_firmwareeibportn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-13918
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.8||CRITICAL
EPSS-0.48% / 64.09%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 16:38
Updated-05 Aug, 2024 | 00:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V2.0 SP1). The web interface has no means to prevent password guessing attacks. The vulnerability could be exploited by an attacker with network access to the vulnerable software, requiring no privileges and no user interaction. The vulnerability could allow full access to the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.

Action-Not Available
Vendor-Siemens AG
Product-sinema_remote_connect_serverSINEMA Remote Connect Server
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CWE ID-CWE-521
Weak Password Requirements
CVE-2022-27516
Matching Score-4
Assigner-Citrix Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Citrix Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 6.24%
||
7 Day CHG~0.00%
Published-08 Nov, 2022 | 21:26
Updated-01 May, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
User login brute force protection functionality bypass

User login brute force protection functionality bypass

Action-Not Available
Vendor-Citrix (Cloud Software Group, Inc.)
Product-gatewayapplication_delivery_controller_firmwareapplication_delivery_controllerCitrix Gateway, Citrix ADC
CWE ID-CWE-693
Protection Mechanism Failure
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-22640
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.23% / 45.41%
||
7 Day CHG~0.00%
Published-28 Jul, 2022 | 14:18
Updated-17 Apr, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ovarro TBox Insufficiently Protected Credentials

An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks.

Action-Not Available
Vendor-ovarroOvarro
Product-tbox_ms-cpu32_firmwaretbox_ms-cpu32-s2_firmwaretbox_tg2tbox_lt2-530_firmwaretbox_lt2-532_firmwaretbox_lt2-540_firmwaretbox_rm2tbox_ms-cpu32-s2tbox_lt2-540tbox_lt2-532tbox_lt2-530tbox_ms-cpu32twinsofttbox_tg2_firmwaretbox_rm2_firmwareTBox
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2020-11052
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.3||HIGH
EPSS-0.53% / 66.34%
||
7 Day CHG~0.00%
Published-07 May, 2020 | 20:25
Updated-04 Aug, 2024 | 11:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in Sorcery

In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. This has been patched in 0.15.0.

Action-Not Available
Vendor-sorcery_projectSorcery
Product-sorcerySorcery
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2021-22737
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 53.11%
||
7 Day CHG~0.00%
Published-26 May, 2021 | 00:00
Updated-03 Aug, 2024 | 18:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficiently Protected Credentials vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior that could cause unauthorized access of when credentials are discovered after a brute force attack.

Action-Not Available
Vendor-n/a
Product-homelynkspacelynk_firmwarehomelynk_firmwarespacelynkhomeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-10849
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.12% / 31.18%
||
7 Day CHG~0.00%
Published-24 Mar, 2020 | 17:32
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with O(8.x), P(9.0), and Q(10.0) (Exynos7885, Exynos8895, and Exynos9810 chipsets) software. The Gatekeeper trustlet allows a brute-force attack on the screen lock password. The Samsung ID is SVE-2019-14575 (January 2020).

Action-Not Available
Vendor-n/aGoogle LLCSamsung
Product-androidexynos_8895exynos_7885exynos_9810n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2013-4441
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.43% / 61.97%
||
7 Day CHG~0.00%
Published-27 Jan, 2020 | 16:08
Updated-06 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Phonemes mode in Pwgen 2.06 generates predictable passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

Action-Not Available
Vendor-pwgen_projectPwgen
Product-pwgenPwgen
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-21237
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 60.18%
||
7 Day CHG~0.00%
Published-27 Dec, 2021 | 22:22
Updated-04 Aug, 2024 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue in the user login box of LJCMS v1.11 allows attackers to hijack user accounts via brute force attacks.

Action-Not Available
Vendor-8cmsn/a
Product-ljcmsn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-42818
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 36.95%
||
7 Day CHG~0.00%
Published-27 Sep, 2023 | 20:28
Updated-25 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SSH public key login without private key challenge if mfa is enabled in jumpserver

JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.

Action-Not Available
Vendor-FIT2CLOUD Inc.JumpServer (FIT2CLOUD Inc.)
Product-jumpserverjumpserverjumpserver
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-42769
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 21.64%
||
7 Day CHG~0.00%
Published-26 Oct, 2023 | 16:15
Updated-16 Jan, 2025 | 21:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sielco Radio Link and Analog FM Transmitters Improper Access Control

The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication, and manipulate the transmitter.

Action-Not Available
Vendor-sielcoSielco
Product-analog_fm_transmitter_exc2000gxanalog_fm_transmitter_exc5000gtradio_link_exc19_firmwareanalog_fm_transmitter_exc1000gt_firmwareanalog_fm_transmitter_exc300gx_firmwareanalog_fm_transmitter_exc1600gx_firmwareanalog_fm_transmitter_exc100gtanalog_fm_transmitter_exc1000gx_firmwareanalog_fm_transmitter_exc300gt_firmwareanalog_fm_transmitter_exc5000gt_firmwareanalog_fm_transmitter_exc120gtanalog_fm_transmitter_exc120gx_firmwareanalog_fm_transmitter_exc5000gx_firmwareanalog_fm_transmitter_exc1600gxanalog_fm_transmitter_exc5000gxanalog_fm_transmitter_exc120gt_firmwareanalog_fm_transmitter_exc2000gx_firmwareradio_link_rtx19analog_fm_transmitter_exc3000gx_firmwareanalog_fm_transmitter_exc1000gxanalog_fm_transmitter_exc120gxanalog_fm_transmitter_exc300gtradio_link_exc19analog_fm_transmitter_exc100gt_firmwareanalog_fm_transmitter_exc3000gxradio_link_rtx19_firmwareanalog_fm_transmitter_exc300gxanalog_fm_transmitter_exc30gtanalog_fm_transmitter_exc30gt_firmwareanalog_fm_transmitter_exc1000gtRadio LinkAnalog FM transmitter
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2013-10004
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 58.91%
||
7 Day CHG~0.00%
Published-24 May, 2022 | 15:30
Updated-15 Apr, 2025 | 14:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Telecommunication Software SAMwin Contact Center Suite Password SAMwinLIBVB.dll passwordScramble improper authentication

A vulnerability classified as critical was found in Telecommunication Software SAMwin Contact Center Suite 5.1. This vulnerability affects the function passwordScramble in the library SAMwinLIBVB.dll of the component Password Handler. Incorrect implementation of a hashing function leads to predictable authentication possibilities. Upgrading to version 6.2 is able to address this issue. It is recommended to upgrade the affected component.

Action-Not Available
Vendor-telecomsoftwareTelecommunication Software
Product-samwin_agentsamwin_contact_centerSAMwin Contact Center Suite
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-7995
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.64% / 69.53%
||
7 Day CHG~0.00%
Published-26 Jan, 2020 | 22:44
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.

Action-Not Available
Vendor-n/aDolibarr ERP & CRM
Product-dolibarr_erp\/crmn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-8790
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.04% / 76.57%
||
7 Day CHG~0.00%
Published-04 May, 2020 | 13:18
Updated-04 Aug, 2024 | 10:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could allow a remote attacker to discover user credentials and obtain access via a brute force attack.

Action-Not Available
Vendor-oklok_projectn/a
Product-oklokn/a
CWE ID-CWE-521
Weak Password Requirements
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-41350
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-7.5||HIGH
EPSS-0.06% / 19.60%
||
7 Day CHG~0.00%
Published-03 Nov, 2023 | 04:44
Updated-06 Sep, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chunghwa Telecom NOKIA G-040W-Q - Excessive Authentication Attempts

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks.

Action-Not Available
Vendor-Chunghwa TelecomNokia Corporation
Product-g-040w-qg-040w-q_firmwareNOKIA G-040W-Qg-040w-q_firmware
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-7508
Matching Score-4
Assigner-Schneider Electric
ShareView Details
Matching Score-4
Assigner-Schneider Electric
CVSS Score-9.8||CRITICAL
EPSS-0.26% / 48.82%
||
7 Day CHG~0.00%
Published-16 Jun, 2020 | 19:44
Updated-04 Aug, 2024 | 09:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to gain full access by brute force.

Action-Not Available
Vendor-n/a
Product-easergy_t300easergy_t300_firmwareEasergy T300 (Firmware version 1.5.2 and older)
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-40834
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.27% / 49.83%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 00:00
Updated-26 Sep, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing unauthenticated attackers to gain access to the application via a brute force attack to the password parameter.

Action-Not Available
Vendor-opencartn/a
Product-opencartn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-2650
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.8||HIGH
EPSS-0.15% / 36.15%
||
7 Day CHG~0.00%
Published-24 Nov, 2022 | 00:00
Updated-25 Apr, 2025 | 18:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in wger-project/wger

Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2.

Action-Not Available
Vendor-wgerwger-project
Product-wgerwger-project/wger
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-2525
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 18.54%
||
7 Day CHG~0.00%
Published-15 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in janeczku/calibre-web

Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.

Action-Not Available
Vendor-janeczkujaneczku
Product-calibre-webjaneczku/calibre-web
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-2457
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 43.87%
||
7 Day CHG-0.13%
Published-09 Aug, 2022 | 20:15
Updated-27 Aug, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Red Hat Process Automation Manager 7 where an attacker can benefit from a brute force attack against Administration Console as the application does not limit the number of unsuccessful login attempts.

Action-Not Available
Vendor-n/aRed Hat, Inc.
Product-process_automation_managerRed Hat Process Automation Manager 7
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-7393
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-9.8||CRITICAL
EPSS-0.07% / 21.54%
||
7 Day CHG+0.01%
Published-21 Jul, 2025 | 16:35
Updated-27 Aug, 2025 | 14:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail Login: from 3.0.0 before 3.2.0, from 4.0.0 before 4.2.0.

Action-Not Available
Vendor-mqannehThe Drupal Association
Product-mail_loginMail Login
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-6852
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.74% / 71.91%
||
7 Day CHG~0.00%
Published-02 Apr, 2020 | 14:49
Updated-04 Aug, 2024 | 09:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required.

Action-Not Available
Vendor-cacagoon/a
Product-tv-288zd-2mptv-288zd-2mp_firmwaren/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-40706
Matching Score-4
Assigner-Dragos, Inc.
ShareView Details
Matching Score-4
Assigner-Dragos, Inc.
CVSS Score-8.6||HIGH
EPSS-0.08% / 24.13%
||
7 Day CHG~0.00%
Published-24 Aug, 2023 | 16:03
Updated-02 Oct, 2024 | 20:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts in OPTO 22 SNAP PAC S1 Built-in Web Server

There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login.

Action-Not Available
Vendor-opto22OPTO 22opto22
Product-snap_pac_s1snap_pac_s1_firmwareSNAP PAC S1snap_pac_s1
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-4567
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-8.6||HIGH
EPSS-0.31% / 53.41%
||
7 Day CHG~0.00%
Published-29 Jul, 2020 | 14:05
Updated-16 Sep, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 184156.

Action-Not Available
Vendor-IBM Corporation
Product-security_key_lifecycle_managerSecurity Key Lifecycle Manager
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-48187
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.1||CRITICAL
EPSS-0.06% / 18.46%
||
7 Day CHG~0.00%
Published-17 May, 2025 | 00:00
Updated-12 Jun, 2025 | 16:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.

Action-Not Available
Vendor-infiniflowinfiniflow
Product-ragflowRAGFlow
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-35590
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-42.85% / 97.39%
||
7 Day CHG~0.00%
Published-21 Dec, 2020 | 06:03
Updated-04 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries.

Action-Not Available
Vendor-limitloginattemptsn/a
Product-limit_login_attempts_reloadedn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-35565
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.32% / 54.11%
||
7 Day CHG~0.00%
Published-16 Feb, 2021 | 15:47
Updated-04 Aug, 2024 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default.

Action-Not Available
Vendor-mbconnectlinen/a
Product-mymbconnect24mbconnect24n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2001-1291
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-9.89% / 92.70%
||
7 Day CHG~0.00%
Published-02 Apr, 2003 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing.

Action-Not Available
Vendor-3comn/a
Product-superstack_ii_ps_hub_40_firmwaresuperstack_ii_ps_hub_40n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2001-1339
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-24.28% / 95.87%
||
7 Day CHG~0.00%
Published-03 May, 2002 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Beck IPC GmbH IPC@CHIP telnet service does not delay or disconnect users from the service when bad passwords are entered, which makes it easier for remote attackers to conduct brute force password guessing attacks.

Action-Not Available
Vendor-anybusn/a
Product-ipc\@chip_firmwareipc\@chipn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2001-0395
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.13% / 77.39%
||
7 Day CHG~0.00%
Published-24 May, 2001 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Lightwave ConsoleServer 3200 does not disconnect users after unsuccessful login attempts, which could allow remote attackers to conduct brute force password guessing.

Action-Not Available
Vendor-lightwavemon/a
Product-consoleserver_3200_firmwareconsoleserver_3200n/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-4094
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-9.8||CRITICAL
EPSS-1.29% / 78.82%
||
7 Day CHG~0.00%
Published-21 May, 2025 | 06:00
Updated-27 Aug, 2025 | 12:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digits < 8.4.6.1 - Auth Bypass via OTP Bruteforcing

The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.

Action-Not Available
Vendor-unitedoverUnknown
Product-digitsDIGITS: WordPress Mobile Number Signup and Login
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-1999-1324
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-1.01% / 76.19%
||
7 Day CHG~0.00%
Published-09 Mar, 2002 | 05:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VAXstations running Open VMS 5.3 through 5.5-2 with VMS DECwindows or MOTIF do not properly disable access to user accounts that exceed the break-in limit threshold for failed login attempts, which makes it easier for attackers to conduct brute force password guessing.

Action-Not Available
Vendor-n/aHP Inc.
Product-openvms_vaxn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-3709
Matching Score-4
Assigner-TWCERT/CC
ShareView Details
Matching Score-4
Assigner-TWCERT/CC
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 19.06%
||
7 Day CHG~0.00%
Published-02 May, 2025 | 03:13
Updated-07 May, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flowring Technology Agentflow - Account Lockout Bypass

Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.

Action-Not Available
Vendor-flowringFlowring Technology
Product-agentflowAgentflow
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-25196
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.11% / 30.07%
||
7 Day CHG~0.00%
Published-23 Dec, 2020 | 14:08
Updated-17 Sep, 2024 | 00:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MOXA NPort IAW5000A-I/O Series

The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication.

Action-Not Available
Vendor-Moxa Inc.
Product-nport_iaw5000a-i\/onport_iaw5000a-i\/o_firmwareNPort IAW5000A-I/O
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2020-10285
Matching Score-4
Assigner-Alias Robotics S.L.
ShareView Details
Matching Score-4
Assigner-Alias Robotics S.L.
CVSS Score-9.4||CRITICAL
EPSS-0.37% / 58.03%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 21:00
Updated-17 Sep, 2024 | 02:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RVD#3322: Weak authentication implementation make the system vulnerable to a brute-force attack over adjacent networks

The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access.

Action-Not Available
Vendor-ufactoryuFactory
Product-xarm_5_lite_firmwarexarm_5_litexArm5 Lite, xArm 6 and xArm 7
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CWE ID-CWE-331
Insufficient Entropy
CVE-2019-5421
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-9.8||CRITICAL
EPSS-0.23% / 45.64%
||
7 Day CHG~0.00%
Published-03 Apr, 2019 | 14:21
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.

Action-Not Available
Vendor-plataformatecPlataformatec
Product-deviseDevise ruby gem
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2019-6524
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.25% / 47.85%
||
7 Day CHG~0.00%
Published-05 Mar, 2019 | 21:00
Updated-16 Sep, 2024 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Moxa IKS and EDS do not implement sufficient measures to prevent multiple failed authentication attempts, which may allow an attacker to discover passwords via brute force attack.

Action-Not Available
Vendor-ICS-CERTMoxa Inc.
Product-eds-510aeds-408a_firmwareeds-408aeds-510a_firmwareiks-g6824aeds-405a_firmwareiks-g6824a_firmwareeds-405aMoxa IKS, EDS
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found