Total
520 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34001 | 1 Wpplugins | 1 Hide My Wp Ghost | 2025-06-30 | N/A | 5.3 MEDIUM |
|
Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25.
|
|||||
| CVE-2025-4383 | 2025-06-26 | N/A | 9.3 CRITICAL | ||
|
Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025.
|
|||||
| CVE-2024-55008 | 1 Jatos | 1 Jatos | 2025-06-24 | N/A | 7.5 HIGH |
|
JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any ...
Show More |
|||||
| CVE-2025-2171 | 2025-06-23 | N/A | N/A | ||
|
Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN
|
|||||
| CVE-2023-50123 | 1 Hozard | 1 Alarm System | 2025-06-20 | N/A | 8.1 HIGH |
|
The number of attempts to bring the Hozard Alarm system (alarmsystemen) v1.0 to a disarmed state is not limited. This could allow an attacker to perform a brute force on the SMS authentication, to bring the alarm system to a disarmed state.
|
|||||
| CVE-2025-6029 | 2025-06-16 | N/A | N/A | ||
|
Use of fixed learning codes, one code to lock the car and the other code to unlock it, the Key Fob Transmitter in KIA-branded Aftermarket Generic Smart Keyless Entry System, primarily distributed in Ecuador, which allows a replay attack.
Manufacture is unknown at the time of release. CVE Record will be updated once this is clarified.
|
|||||
| CVE-2025-6030 | 2025-06-16 | N/A | N/A | ||
|
Use of fixed learning codes, one code to lock the car and the other code to unlock it, in the Key Fob Transmitter in Cyclone Matrix TRF Smart Keyless Entry System, which allows a replay attack.
Research was completed on the 2024 KIA Soluto. Attack confirmed on other KIA Models in Ecuador.
|
|||||
| CVE-2025-48187 | 1 Infiniflow | 1 Ragflow | 2025-06-12 | N/A | 9.1 CRITICAL |
|
RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.
|
|||||
| CVE-2025-5864 | 2025-06-09 | 2.6 LOW | 3.7 LOW | ||
|
A vulnerability was found in Tenda TDSEE App up to 1.7.12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /app/ConfirmSmsCode of the component Password Reset Confirmation Code Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public a ...
Show More |
|||||
| CVE-2025-31676 | 1 Email Tfa Project | 1 Email Tfa | 2025-06-04 | N/A | 8.8 HIGH |
|
Weak Authentication vulnerability in Drupal Email TFA allows Brute Force.This issue affects Email TFA: from 0.0.0 before 2.0.3.
|
|||||
| CVE-2023-45190 | 1 Ibm | 1 Engineering Lifecycle Optimization | 2025-06-03 | N/A | 5.1 MEDIUM |
|
IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 268754.
|
|||||
| CVE-2023-33759 | 1 Splicecom | 1 Maximiser Soft Pbx | 2025-05-30 | N/A | 9.8 CRITICAL |
|
SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.
|
|||||
| CVE-2022-33735 | 1 Huawei | 2 Ws7200-10, Ws7200-10 Firmware | 2025-05-28 | N/A | 6.5 MEDIUM |
|
There is a password verification vulnerability in WS7200-10 11.0.2.13. Attackers on the LAN may use brute force cracking to obtain passwords, which may cause sensitive system information to be disclosed.
|
|||||
| CVE-2025-48014 | 2025-05-21 | N/A | 7.5 HIGH | ||
|
Password guessing limits could be bypassed when using LDAP authentication.
|
|||||
| CVE-2024-45404 | 1 Citeum | 1 Opencti | 2025-05-17 | N/A | 8.1 HIGH |
|
OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.
|
|||||
| CVE-2022-33106 | 1 Wijungle | 2 U250, U250 Firmware | 2025-05-16 | N/A | 9.8 CRITICAL |
|
WiJungle NGFW Version U250 was discovered to be vulnerable to No Rate Limit attack, allowing the attacker to brute force the admin password leading to Account Take Over.
|
|||||
| CVE-2024-42176 | 1 Hcltech | 1 Dryice Myxalytics | 2025-05-16 | N/A | 2.6 LOW |
|
HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.
|
|||||
| CVE-2022-40055 | 1 Gxgroup | 2 Gpon Ont Titanium 2122a, Gpon Ont Titanium 2122a Firmware | 2025-05-14 | N/A | 9.8 CRITICAL |
|
An issue in GX Group GPON ONT Titanium 2122A T2122-V1.26EXL allows attackers to escalate privileges via a brute force attack at the login page.
|
|||||
| CVE-2022-3031 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 3.7 LOW |
|
An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.
|
|||||
| CVE-2024-38888 | 1 Horizoncloud | 1 Caterease | 2025-05-13 | N/A | 6.8 MEDIUM |
|
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a local attacker to perform a Password Brute Forcing attack due to improper restriction of excessive authentication attempts.
|
|||||
| CVE-2025-46739 | 2025-05-12 | N/A | 8.1 HIGH | ||
|
An unauthenticated user could discover account credentials via a brute-force attack without rate limiting
|
|||||
| CVE-2025-3709 | 1 Flowring | 1 Agentflow | 2025-05-07 | N/A | 9.8 CRITICAL |
|
Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.
|
|||||
| CVE-2022-44022 | 1 Pwndoc Project | 1 Pwndoc | 2025-05-07 | N/A | 5.3 MEDIUM |
|
PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.
|
|||||
| CVE-2023-27172 | 1 Xpand-it | 1 Write-back Manager | 2025-05-06 | N/A | 9.1 CRITICAL |
|
Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens. This allows attackers to easily obtain the secret key used to sign JWT tokens via a bruteforce attack.
|
|||||
| CVE-2024-1104 | 1 Areal-topkapi | 1 Webserv2 | 2025-05-06 | N/A | 7.5 HIGH |
|
An unauthenticated remote attacker can bypass the brute force prevention mechanism and disturb the webservice for all users.
|
|||||
| CVE-2022-40903 | 1 Aiphone | 8 Gt-db-vn, Gt-db-vn Firmware, Gt-dmb and 5 more | 2025-04-30 | N/A | 6.5 MEDIUM |
|
Aiphone GT-DMB-N 3-in-1 Video Entrance Station with NFC Reader 1.0.3 does not mitigate against repeated failed access attempts, which allows an attacker to gain administrative privileges.
|
|||||
| CVE-2024-28022 | 1 Hitachienergy | 2 Foxman-un, Unem | 2025-04-29 | N/A | 6.5 MEDIUM |
|
A vulnerability exists in the UNEM server / APIGateway that if exploited allows a malicious user to perform an arbitrary number of
authentication attempts using different passwords, and eventually
gain access to other components in the same security realm using
the targeted account.
|
|||||
| CVE-2022-37772 | 1 Maarch | 1 Maarch Rm | 2025-04-25 | N/A | 7.5 HIGH |
|
Maarch RM 2.8.3 solution contains an improper restriction of excessive authentication attempts due to excessive verbose responses from the application. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.
|
|||||
| CVE-2022-23746 | 1 Checkpoint | 1 Ssl Network Extender | 2025-04-25 | N/A | 7.5 HIGH |
|
The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords.
|
|||||
| CVE-2025-42600 | 2025-04-23 | N/A | N/A | ||
|
This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP, which could lead to gain unauthorized access to other user accounts.
|
|||||
| CVE-2017-7673 | 1 Apache | 1 Openmeetings | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.
|
|||||
| CVE-2017-15887 | 1 Synology | 1 Carddav Server | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.
|
|||||
| CVE-2017-10604 | 1 Juniper | 2 Junos, Srx | 2025-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
|
When the device is configured to perform account lockout with a defined period of time, any unauthenticated user attempting to log in as root with an incorrect password can trigger a lockout of the root account. When an SRX Series device is in cluster mode, and a cluster sync or failover operation occurs, then there will be errors associated with synch or failover while the root account is locked out. Administrators can confirm if the root account is locked out via the following command root@dev ...
Show More |
|||||
| CVE-2017-14423 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remote attackers to change the DNS configuration via a series of requests.
|
|||||
| CVE-2017-7898 | 1 Rockwellautomation | 21 1763-l16awa Series A, 1763-l16awa Series B, 1763-l16bbb Series A and 18 more | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An Improper Restriction of Excessive Authentication Attempts issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, S ...
Show More |
|||||
| CVE-2017-12316 | 1 Cisco | 1 Identity Services Engine Software | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Guest Portal login page. An exploit could allow the attacker to perform brute-force password attacks on the ...
Show More |
|||||
| CVE-2016-9124 | 1 Revive-adserver | 1 Revive Adserver | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Revive Adserver before 3.2.3 suffers from Improper Restriction of Excessive Authentication Attempts. The login page of Revive Adserver is vulnerable to password-guessing attacks. An account lockdown feature was considered, but rejected to avoid introducing service disruptions to regular users during such attacks. A random delay has instead been introduced as a countermeasure in case of password failures, along with a system to discourage parallel brute forcing. These systems will effectively all ...
Show More |
|||||
| CVE-2017-7915 | 1 Moxa | 12 Oncell 5004-hspa, Oncell 5004-hspa Firmware, Oncell 5104-hsdpa and 9 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
|
An Improper Restriction of Excessive Authentication Attempts issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. An attacker can freely use brute force to determine parameters needed to bypass authentication.
|
|||||
| CVE-2017-11187 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks that try many passwords in attempted logins quickly.
|
|||||
| CVE-2017-1197 | 1 Ibm | 1 Bigfix Security Compliance Analytics | 2025-04-20 | 5.0 MEDIUM | 9.8 CRITICAL |
|
IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 123672.
|
|||||