Total
344 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-28212 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2022-01-31 | 9.8 Critical |
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus. | ||||
CVE-2022-22553 | 1 Dell | 1 Emc Appsync | 2022-01-27 | 9.8 Critical |
Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI. An adjacent unauthenticated attacker could potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users. | ||||
CVE-2021-41807 | 1 M-files | 2 M-files Server, M-files Web | 2022-01-26 | 9.8 Critical |
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | ||||
CVE-2020-21237 | 1 8cms | 1 Ljcms | 2022-01-10 | 9.8 Critical |
An issue in the user login box of LJCMS v1.11 allows attackers to hijack user accounts via brute force attacks. | ||||
CVE-2020-21238 | 1 Chshcms | 1 Cscms | 2022-01-10 | 9.8 Critical |
An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks. | ||||
CVE-2021-36750 | 2 Sandisk, Zendesk | 3 Secureaccess, Enc Datavault, Enc Vaultapi | 2022-01-06 | 8.1 High |
ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names). | ||||
CVE-2021-3138 | 1 Discourse | 1 Discourse | 2022-01-04 | 7.5 High |
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. | ||||
CVE-2014-2875 | 1 Keplerproject | 1 Cgilua | 2022-01-01 | 6.1 Medium |
The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10399 and CVE-2014-10400 were SPLIT from this ID. | ||||
CVE-2020-10285 | 1 Ufactory | 2 Xarm 5 Lite, Xarm 5 Lite Firmware | 2021-12-21 | 9.8 Critical |
The authentication implementation on the xArm controller has very low entropy, making it vulnerable to a brute-force attack. There is no mechanism in place to mitigate or lockout automated attempts to gain access. | ||||
CVE-2021-37934 | 1 Huntflow | 1 Huntflow Enterprise | 2021-12-14 | 9.8 Critical |
Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. | ||||
CVE-2021-38890 | 4 Ibm, Linux, Microsoft and 1 more | 5 Aix, Sterling Connect\, Linux Kernel and 2 more | 2021-11-29 | 7.5 High |
IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 209507. | ||||
CVE-2021-41435 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2021-11-23 | 9.8 Critical |
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request. | ||||
CVE-2021-44033 | 1 Ionic | 1 Identity Vault | 2021-11-23 | 6.8 Medium |
In Ionic Identity Vault before 5.0.5, the protection mechanism for invalid unlock attempts can be bypassed. | ||||
CVE-2021-33209 | 1 Fimer | 1 Aurora Vision | 2021-11-05 | 5.3 Medium |
An issue was discovered in Fimer Aurora Vision before 2.97.10. The response to a failed login attempt discloses whether the username or password is wrong, helping an attacker to enumerate usernames. This can make a brute-force attack easier. | ||||
CVE-2020-14494 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2021-11-04 | 9.8 Critical |
OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication mechanism within the system that does not provide sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number of attempts. | ||||
CVE-2019-15577 | 1 Gitlab | 1 Gitlab | 2021-11-02 | 4.3 Medium |
An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing. | ||||
CVE-2021-41171 | 1 Elabftw | 1 Elabftw | 2021-10-28 | 8.8 High |
eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading. | ||||
CVE-2021-38474 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-22 | 9.8 Critical |
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface. | ||||
CVE-2021-36285 | 1 Dell | 42 Latitude 5310 2-in-1, Latitude 5310 2-in-1 Firmware, Latitude 5320 and 39 more | 2021-10-04 | 4.4 Medium |
Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive NVMe password attempt mitigations in order to carry out a brute force attack. | ||||
CVE-2021-36284 | 1 Dell | 42 Latitude 5310 2-in-1, Latitude 5310 2-in-1 Firmware, Latitude 5320 and 39 more | 2021-10-04 | 4.4 Medium |
Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive admin password attempt mitigations in order to carry out a brute force attack. |