Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-62257

Summary
Assigner-Liferay
Assigner Org ID-8b54e794-c6f0-462e-9faa-c1001a673ac3
Published At-29 Oct, 2025 | 23:24
Updated At-30 Oct, 2025 | 17:41
Rejected At-
Credits

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Liferay
Assigner Org ID:8b54e794-c6f0-462e-9faa-c1001a673ac3
Published At:29 Oct, 2025 | 23:24
Updated At:30 Oct, 2025 | 17:41
Rejected At:
▼CVE Numbering Authority (CNA)

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

Affected Products
Vendor
Liferay Inc.Liferay
Product
Portal
Default Status
unaffected
Versions
Affected
  • From 7.4.0 through 7.4.3.119 (maven)
Vendor
Liferay Inc.Liferay
Product
DXP
Default Status
unaffected
Versions
Affected
  • From 7.4.13 through 7.4.13-u92 (maven)
  • From 2023.Q3.1 through 2023.Q3.10 (maven)
  • From 2023.Q4.0 through 2023.Q4.10 (maven)
  • From 2024.Q1.1 through 2024.Q1.5 (maven)
Problem Types
TypeCWE IDDescription
CWECWE-307CWE-307 Improper Restriction of Excessive Authentication Attempts
Type: CWE
CWE ID: CWE-307
Description: CWE-307 Improper Restriction of Excessive Authentication Attempts
Metrics
VersionBase scoreBase severityVector
4.06.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62257
N/A
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62257
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@liferay.com
Published At:30 Oct, 2025 | 00:15
Updated At:10 Nov, 2025 | 21:37

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Liferay Inc.
liferay
>>digital_experience_platform>>Versions up to 7.4(inclusive)
cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>2023.q3.0
cpe:2.3:a:liferay:digital_experience_platform:2023.q3.0:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>2023.q4.0
cpe:2.3:a:liferay:digital_experience_platform:2023.q4.0:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>2024.q1.1
cpe:2.3:a:liferay:digital_experience_platform:2024.q1.1:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>2024.q1.2
cpe:2.3:a:liferay:digital_experience_platform:2024.q1.2:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>2024.q1.3
cpe:2.3:a:liferay:digital_experience_platform:2024.q1.3:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>2024.q1.4
cpe:2.3:a:liferay:digital_experience_platform:2024.q1.4:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>digital_experience_platform>>2024.q1.5
cpe:2.3:a:liferay:digital_experience_platform:2024.q1.5:*:*:*:*:*:*:*
Liferay Inc.
liferay
>>liferay_portal>>Versions from 7.4.0(inclusive) to 7.4.3.120(exclusive)
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-307Secondarysecurity@liferay.com
CWE ID: CWE-307
Type: Secondary
Source: security@liferay.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62257security@liferay.com
Vendor Advisory
Hyperlink: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62257
Source: security@liferay.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

65Records found
CVE-2023-48276
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 29.70%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 10:20
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Forms Puzzle Captcha plugin <= 4.1 - Captcha Bypass vulnerability

Improper Restriction of Excessive Authentication Attempts vulnerability in Nitin Rathod WP Forms Puzzle Captcha allows Functionality Bypass.This issue affects WP Forms Puzzle Captcha: from n/a through 4.1.

Action-Not Available
Vendor-Nitin Rathodnitinrathod
Product-WP Forms Puzzle Captchawp_forms_puzzle_captcha
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-46745
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.60% / 44.02%
||
7 Day CHG~0.00%
Published-17 Nov, 2023 | 21:42
Updated-29 Aug, 2024 | 14:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rate limiting Bypass on login page in libreNMS

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions the login method has no rate limit. An attacker may be able to leverage this vulnerability to gain access to user accounts. This issue has been addressed in version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-LibreNMS
Product-librenmslibrenms
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-46123
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.70% / 48.52%
||
7 Day CHG~0.00%
Published-25 Oct, 2023 | 00:13
Updated-25 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jumpserver is vulnerable to password brute-force protection bypass via arbitrary IP values

jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.

Action-Not Available
Vendor-FIT2CLOUD Inc.JumpServer (FIT2CLOUD Inc.)
Product-jumpserverjumpserverjumpserver
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-45009
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.40% / 32.03%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 09:06
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Captcha for Contact Form 7 plugin <= 1.11.3 - Capcha Bypass vulnerability

Improper Restriction of Excessive Authentication Attempts vulnerability in Forge12 Interactive GmbH Captcha/Honeypot for Contact Form 7 allows Functionality Bypass.This issue affects Captcha/Honeypot for Contact Form 7: from n/a through 1.11.3.

Action-Not Available
Vendor-Forge12 Interactive GmbH
Product-Captcha/Honeypot for Contact Form 7
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-44235
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.11%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 07:35
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Captcha plugin <= 2.0.0 - Captcha Bypass vulnerability

Improper Restriction of Excessive Authentication Attempts vulnerability in Devnath verma WP Captcha allows Functionality Bypass.This issue affects WP Captcha: from n/a through 2.0.0.

Action-Not Available
Vendor-Devnath vermadevnath_verma
Product-WP Captchawp_captcha
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-42480
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-5.3||MEDIUM
EPSS-0.55% / 41.63%
||
7 Day CHG~0.00%
Published-14 Nov, 2023 | 01:02
Updated-03 Sep, 2024 | 14:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure in NetWeaver AS Java Logon

The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_javaNetWeaver AS Java
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-39958
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.58% / 43.02%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 17:04
Updated-10 Oct, 2024 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing brute force protection on password reset token OAuth2 API controller

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Action-Not Available
Vendor-Nextcloud GmbH
Product-nextcloud_serversecurity-advisories
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-35697
Matching Score-4
Assigner-SICK AG
ShareView Details
Matching Score-4
Assigner-SICK AG
CVSS Score-5.3||MEDIUM
EPSS-0.65% / 46.36%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 09:35
Updated-01 Jun, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials.

Action-Not Available
Vendor-SICK AG
Product-icr890-4_firmwareicr890-4ICR890-4icr890-4
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-32657
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.3||MEDIUM
EPSS-0.43% / 34.60%
||
7 Day CHG~0.00%
Published-19 Jul, 2023 | 21:47
Updated-28 Oct, 2024 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weintek Weincloud Improper Restriction of Excessive Authentication Attempts

Weintek Weincloud v0.13.6 could allow an attacker to efficiently develop a brute force attack on credentials with authentication hints from error message responses.

Action-Not Available
Vendor-weintekWeintek
Product-weincloudWeincloud
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2025-2514
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 21.46%
||
7 Day CHG~0.00%
Published-07 May, 2026 | 07:30
Updated-13 May, 2026 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Restriction of Excessive Authentication Attempts vulnerability in Hitachi Virtual Storage Platform

Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28  : before DKCMAIN Ver 88-08-16-xx/00, GUM Ver. 88-08-20/00, before DKCMAIN Ver 93-07-26-xx/00, GUM Ver. 93-07-26/00, before DKCMAIN Ver A3-04-02-xx/00, EMS Ver. A3-04-02/00, before DKCMAIN Ver A3-03-41-xx/00, EMS Ver. A3-03-41/00, before DKCMAIN Ver A3-03-03-xx/00, EMS Ver. A3-03-02/00.

Action-Not Available
Vendor-Hitachi, Ltd.
Product-vsp_f370vsp_f700_firmwarevsp_g700_firmwarevsp_f350_firmwarevsp_f350vsp_f900vsp_e990vsp_e390hvsp_g350_firmwarevsp_g900_firmwarevsp_f700vsp_e990_firmwarevsp_g130vsp_f900_firmwarevsp_e590h_firmwarevsp_g130_firmwarevsp_f370_firmwarevsp_e590_firmwarevsp_e590hvirtual_storage_one_blockvsp_g370vsp_e790h_firmwarevsp_e390h_firmwarevsp_g150_firmwarevsp_e390_firmwarevsp_e1090hvsp_e390vsp_g900vsp_e1090h_firmwarevsp_g150vsp_g370_firmwarevsp_g350vsp_e590vsp_e1090vsp_e1090_firmwarevsp_e790hvsp_e790vsp_e790_firmwarevsp_g700Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2023-26271
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.47% / 37.32%
||
7 Day CHG~0.00%
Published-28 Aug, 2023 | 00:09
Updated-02 Oct, 2024 | 14:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Guardium Data Encryption information disclosure

IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 248126.

Action-Not Available
Vendor-IBM Corporation
Product-guardium_cloud_key_managerGuardium Cloud Key Manager
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2024-9928
Matching Score-4
Assigner-Hitachi Energy
ShareView Details
Matching Score-4
Assigner-Hitachi Energy
CVSS Score-5.3||MEDIUM
EPSS-0.38% / 30.04%
||
7 Day CHG+0.01%
Published-26 Nov, 2024 | 13:26
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the equipment login. Note that the system supports only one concurrent session and implements a delay of more than a second between failed login attempts making it difficult to automate the attacks.

Action-Not Available
Vendor-Hitachi Energy Ltd.
Product-NSD570 Teleprotection Equipmentnsd570_firmware
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-44022
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.75% / 50.00%
||
7 Day CHG~0.00%
Published-29 Oct, 2022 | 00:00
Updated-07 May, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.

Action-Not Available
Vendor-pwndoc_projectn/a
Product-pwndocn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-36781
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
ShareView Details
Matching Score-4
Assigner-Israel National Cyber Directorate (INCD)
CVSS Score-5.3||MEDIUM
EPSS-0.46% / 36.20%
||
7 Day CHG~0.00%
Published-28 Sep, 2022 | 19:11
Updated-16 Sep, 2024 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ConnectWise - ScreenConnect Session Code Bypass

ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom access tokens due to inadequate rate-limiting controls in the default configuration. Attackers could exploit this vulnerability to gain unauthorized access by repeatedly attempting access code combinations. ConnectWise has addressed this issue in later versions by implementing rate-limiting controls as a preventive measure against brute force attacks.

Action-Not Available
Vendor-connectwiseConnectWise
Product-screenconnectScreenConnect
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2022-30076
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-3.54% / 87.78%
||
7 Day CHG~0.00%
Published-16 Apr, 2023 | 00:00
Updated-06 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting.

Action-Not Available
Vendor-entabn/a
Product-erpn/a
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
  • Previous
  • 1
  • 2
  • Next
Details not found