Total
520 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5141 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
|
A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.
|
|||||
| CVE-2020-4891 | 1 Ibm | 1 Spectrum Scale | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974.
|
|||||
| CVE-2020-4567 | 1 Ibm | 1 Security Key Lifecycle Manager | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 184156.
|
|||||
| CVE-2020-4400 | 1 Ibm | 1 Verify Gateway | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 179478.
|
|||||
| CVE-2020-4232 | 1 Ibm | 1 Security Identity Governance And Intelligence | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to enumerate usernames to find valid login credentials which could be used to attempt further attacks against the system. IBM X-Force ID: 175336.
|
|||||
| CVE-2020-4193 | 1 Ibm | 1 Security Guardium | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
IBM Security Guardium 11.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 174857.
|
|||||
| CVE-2020-35590 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowe ...
Show More |
|||||
| CVE-2020-35586 | 1 Mersive | 2 Solstice Pod, Solstice Pod Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Solstice Pod before 3.3.0 (or Open4.3), the Administrator password can be enumerated using brute-force attacks via the /Config/service/initModel?password= Solstice Open Control API because there is no complexity requirement (e.g., it might be all digits or all lowercase letters).
|
|||||
| CVE-2020-35585 | 1 Mersive | 2 Solstice Pod, Solstice Pod Firmware | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities.
|
|||||
| CVE-2020-35565 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default.
|
|||||
| CVE-2020-29136 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
|
|||||
| CVE-2020-29042 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.3 MEDIUM | 3.7 LOW |
|
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
|
|||||
| CVE-2020-28212 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.
|
|||||
| CVE-2020-28206 | 1 Bitrix24 | 1 Bitrix Framework | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group.
|
|||||
| CVE-2020-27747 | 1 Clickstudios | 1 Passwordstate | 2024-11-21 | 2.1 LOW | 6.8 MEDIUM |
|
An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973).If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code. As result, remote attacker retrieves all passwords from another systems, available for affected account.
|
|||||
| CVE-2020-27423 | 1 Anuko | 1 Time Tracker | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox
|
|||||
| CVE-2020-26556 | 1 Bluetooth | 2 Bluetooth Core Specification, Mesh Profile | 2024-11-21 | 2.9 LOW | 7.5 HIGH |
|
Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device, able to conduct a successful brute-force attack on an insufficiently random AuthValue before the provisioning procedure times out, to complete authentication by leveraging Malleable Commitment.
|
|||||
| CVE-2020-25827 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.
|
|||||
| CVE-2020-25196 | 1 Moxa | 2 Nport Iaw5000a-i\/o, Nport Iaw5000a-i\/o Firmware | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication.
|
|||||
| CVE-2020-24007 | 1 Umanni | 1 Human Resources | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Umanni RH 1.0 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.
|
|||||
| CVE-2020-23283 | 1 Mv | 1 Mconnect | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Information disclosure in Logon Page in MV's mConnect application v02.001.00 allows an attacker to know valid users from the application's database via brute force.
|
|||||
| CVE-2020-21238 | 1 Chshcms | 1 Cscms | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue in the user login box of CSCMS v4.0 allows attackers to hijack user accounts via brute force attacks.
|
|||||
| CVE-2020-21237 | 1 8cms | 1 Ljcms | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue in the user login box of LJCMS v1.11 allows attackers to hijack user accounts via brute force attacks.
|
|||||
| CVE-2020-1616 | 1 Juniper | 2 Advanced Threat Protection, Virtual Advanced Threat Protection | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Due to insufficient server-side login attempt limit enforcement, a vulnerability in the SSH login service of Juniper Networks Juniper Advanced Threat Prevention (JATP) Series and Virtual JATP (vJATP) devices allows an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. Successful exploitation will allow the attacker to perform brute-force password attacks on the SSH service. This issue affects: Juniper Networks JATP and vJATP versi ...
Show More |
|||||
| CVE-2020-18698 | 1 Talelin | 1 Lin-cms-flask | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'.
|
|||||
| CVE-2020-15906 | 1 Tiki | 1 Tiki | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
|
|||||
| CVE-2020-15786 | 1 Siemens | 8 Simatic Hmi Basic Panels 2nd Generation, Simatic Hmi Basic Panels 2nd Generation Firmware, Simatic Hmi Comfort Panels and 5 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions <= V16), SIMATIC HMI Mobile Panels (All versions <= V16), SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force att ...
Show More |
|||||
| CVE-2020-15770 | 1 Gradle | 1 Enterprise | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-out after excessive failed logins.
|
|||||
| CVE-2020-15367 | 1 Venki | 1 Supravizio Bpm | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Venki Supravizio BPM 10.1.2 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page.
|
|||||
| CVE-2020-14494 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication mechanism within the system that does not provide sufficient complexity to protect against brute force attacks, which may allow unauthorized users to access the system after no more than a fixed maximum number of attempts.
|
|||||
| CVE-2020-14484 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass the system’s account lockout protection, which may allow brute force password attacks.
|
|||||
| CVE-2020-13872 | 2 Microsoft, Royalapps | 2 Windows, Royal Ts | 2024-11-21 | 3.3 LOW | 8.8 HIGH |
|
Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for attackers to bypass tunnel authentication via a brute-force approach.
|
|||||
| CVE-2020-13835 | 1 Google | 1 Android | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered on Samsung mobile devices with O(8.x) (with TEEGRIS) software. The Gatekeeper Trustlet allows a brute-force attack on user credentials. The Samsung ID is SVE-2020-16908 (June 2020).
|
|||||
| CVE-2020-13805 | 1 Foxitsoftware | 2 Phantompdf, Reader | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. It has brute-force attack mishandling because the CAS service lacks a limit on login failures.
|
|||||
| CVE-2020-13617 | 1 Mitel | 22 6863, 6863 Firmware, 6865 and 19 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Web UI component of Mitel MiVoice 6800 and 6900 series SIP Phones with firmware before 5.1.0.SP5 could allow an unauthenticated attacker to expose sensitive information due to improper memory handling during failed login attempts.
|
|||||
| CVE-2020-13312 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 5.0 MEDIUM | 6.5 MEDIUM |
|
A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. GitLab OAuth endpoint was vulnerable to brute-force attacks through a specific parameter.
|
|||||
| CVE-2020-12752 | 1 Google | 1 Android | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) (with TEEGRIS) software. Attackers can determine user credentials via a brute-force attack against the Gatekeeper trustlet. The Samsung ID is SVE-2020-16908 (May 2020).
|
|||||
| CVE-2020-12645 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
OX App Suite 7.10.1 to 7.10.3 has improper input validation for rate limits with a crafted User-Agent header, spoofed vacation notices, and /apps/load memory consumption.
|
|||||
| CVE-2020-11650 | 1 Ixsystems | 4 Freenas, Freenas Firmware, Truenas and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-U1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent.
|
|||||
| CVE-2020-11052 | 1 Sorcery Project | 1 Sorcery | 2024-11-21 | 5.0 MEDIUM | 8.3 HIGH |
|
In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. This has been patched in 0.15.0.
|
|||||