Total
520 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38488 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-02-04 | N/A | 6.5 MEDIUM |
|
Dell RecoverPoint for Virtual Machines 6.0.x contains a vulnerability. An improper Restriction of Excessive Authentication vulnerability where a Network attacker could potentially exploit this vulnerability, leading to a brute force attack or a dictionary attack against the RecoverPoint login form and a complete system compromise.
This allows attackers to brute-force the password of valid users in an automated manner.
|
|||||
| CVE-2024-32774 | 1 Metagauss | 1 Profilegrid | 2025-02-03 | N/A | 4.3 MEDIUM |
|
Improper Restriction of Excessive Authentication Attempts vulnerability in Metagauss ProfileGrid allows Removing Important Client Functionality.This issue affects ProfileGrid : from n/a through 5.8.2.
|
|||||
| CVE-2024-22425 | 1 Dell | 1 Recoverpoint For Virtual Machines | 2025-01-23 | N/A | 6.5 MEDIUM |
|
Dell RecoverPoint for Virtual Machines 5.3.x, 6.0.SP1 contains a brute force/dictionary attack vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to launch a brute force attack or a dictionary attack against the RecoverPoint login form. This allows attackers to brute-force the password of valid users in an automated manner.
|
|||||
| CVE-2024-45327 | 1 Fortinet | 1 Fortisoar | 2025-01-21 | N/A | 7.5 HIGH |
|
An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.
|
|||||
| CVE-2023-23755 | 1 Joomla | 1 Joomla\! | 2025-01-09 | N/A | 7.5 HIGH |
|
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
|
|||||
| CVE-2023-33754 | 1 Inpiazza | 1 Cloud Wifi | 2025-01-09 | N/A | 6.5 MEDIUM |
|
The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials.
|
|||||
| CVE-2024-21662 | 1 Argoproj | 1 Argo Cd | 2025-01-09 | N/A | 7.5 HIGH |
|
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection ...
Show More |
|||||
| CVE-2024-21652 | 1 Argoproj | 1 Argo Cd | 2025-01-09 | N/A | 9.8 CRITICAL |
|
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but th ...
Show More |
|||||
| CVE-2024-32868 | 1 Zitadel | 1 Zitadel | 2025-01-08 | N/A | 6.5 MEDIUM |
|
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0.
|
|||||
| CVE-2024-8429 | 2024-12-17 | N/A | 4.3 MEDIUM | ||
|
Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials.This issue affects WiFiBurada: before 1.0.5.
|
|||||
| CVE-2024-46442 | 2024-12-11 | N/A | 9.8 CRITICAL | ||
|
An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.
|
|||||
| CVE-2024-28825 | 1 Checkmk | 1 Checkmk | 2024-12-09 | N/A | 5.9 MEDIUM |
|
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta), 2.2.0p26, 2.1.0p43, and in Checkmk 2.0.0 (EOL) facilitates password brute-forcing.
|
|||||
| CVE-2024-9928 | 2024-11-26 | N/A | 5.3 MEDIUM | ||
|
A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could
cause account takeover and unauthorized access to the system
when an attacker conducts brute-force attacks against the
equipment login. Note that the system supports only one concurrent session and implements a delay of more than a second
between failed login attempts making it difficult to automate the
attacks.
|
|||||
| CVE-2024-5862 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation.This issue affects Mia-Med Health Aplication: before 1.0.14.
|
|||||
| CVE-2024-3102 | 1 Mintplexlabs | 1 Anythingllm | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks without prior knowledge of the username. Once the password is known, attackers can conduct blind attacks to ascertain the full username, significantly compromising system security.
|
|||||
| CVE-2024-39874 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | N/A | 7.5 HIGH |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its Client Communication component. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.
|
|||||
| CVE-2024-39873 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | N/A | 7.5 HIGH |
|
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.
|
|||||
| CVE-2024-38176 | 1 Microsoft | 1 Groupme | 2024-11-21 | N/A | 8.1 HIGH |
|
An improper restriction of excessive authentication attempts in GroupMe allows a unauthenticated attacker to elevate privileges over a network.
|
|||||
| CVE-2024-35747 | 1 Contact Form Builder Project | 1 Contact Form Builder | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through 2.1.7.
|
|||||
| CVE-2024-32720 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56.
|
|||||
| CVE-2024-32676 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Improper Restriction of Excessive Authentication Attempts vulnerability in LoginPress LoginPress Pro allows Removing Important Client Functionality.This issue affects LoginPress Pro: from n/a before 3.0.0.
|
|||||
| CVE-2024-2051 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that
could cause account takeover and unauthorized access to the system when an attacker
conducts brute-force attacks against the login form.
|
|||||
| CVE-2024-28833 | 1 Checkmk | 1 Checkmk | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.
|
|||||
| CVE-2024-25031 | 1 Ibm | 1 Storage Defender | 2024-11-21 | N/A | 6.5 MEDIUM |
|
IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 uses an inadequate account lockout setting that could allow an attacker on the network to brute force account credentials. IBM X-Force ID: 281678.
|
|||||
| CVE-2024-22317 | 1 Ibm | 1 App Connect Enterprise | 2024-11-21 | N/A | 9.1 CRITICAL |
|
IBM App Connect Enterprise 11.0.0.1 through 11.0.0.24 and 12.0.1.0 through 12.0.11.0 could allow a remote attacker to obtain sensitive information or cause a denial of service due to improper restriction of excessive authentication attempts. IBM X-Force ID: 279143.
|
|||||
| CVE-2023-6928 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
|
EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system.
|
|||||
| CVE-2023-6756 | 1 Thecosy | 1 Icecms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability was found in Thecosy IceCMS 2.0.1. It has been classified as problematic. Affected is an unknown function of the file /login of the component Captcha Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247884.
|
|||||
| CVE-2023-6272 | 1 Thememylogin | 1 2fa | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.
|
|||||
| CVE-2023-5754 | 1 Sielco | 6 Polyeco1000, Polyeco1000 Firmware, Polyeco300 and 3 more | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Sielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
|
|||||
| CVE-2023-50444 | 1 Primx | 3 Zed\!, Zedmail, Zonecentral | 2024-11-21 | N/A | 7.5 HIGH |
|
By default, .ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; and ZED! for Windows, Mac, Linux before 2023.5 include an encrypted version of sensitive user information, which could allow an unauthenticated attacker to obtain it via br ...
Show More |
|||||
| CVE-2023-50326 | 1 Ibm | 1 Powersc | 2024-11-21 | N/A | 7.5 HIGH |
|
IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 275107.
|
|||||
| CVE-2023-4625 | 1 Mitsubishielectric | 126 Fx5s-30mr\/es, Fx5s-30mr\/es Firmware, Fx5s-30mt\/es and 123 more | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to ...
Show More |
|||||
| CVE-2023-49792 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and N ...
Show More |
|||||
| CVE-2023-49443 | 1 Html-js | 1 Doracms | 2024-11-21 | N/A | 9.8 CRITICAL |
|
DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.
|
|||||
| CVE-2023-49278 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue.
|
|||||
| CVE-2023-48745 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Improper Restriction of Excessive Authentication Attempts vulnerability in WebFactory Ltd Captcha Code allows Functionality Bypass.This issue affects Captcha Code: from n/a through 2.9.
|
|||||
| CVE-2023-48276 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Improper Restriction of Excessive Authentication Attempts vulnerability in Nitin Rathod WP Forms Puzzle Captcha allows Functionality Bypass.This issue affects WP Forms Puzzle Captcha: from n/a through 4.1.
|
|||||
| CVE-2023-46745 | 1 Librenms | 1 Librenms | 2024-11-21 | N/A | 5.3 MEDIUM |
|
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions the login method has no rate limit. An attacker may be able to leverage this vulnerability to gain access to user accounts. This issue has been addressed in version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
|
|||||
| CVE-2023-45582 | 1 Fortinet | 1 Fortimail | 2024-11-21 | N/A | 5.6 MEDIUM |
|
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail version 7.2.0 through 7.2.4, 7.0.0 through 7.0.6 and before 6.4.8 may allow an unauthenticated attacker to perform a brute force attack on the affected endpoints via repeated login attempts.
|
|||||
| CVE-2023-45191 | 1 Ibm | 1 Engineering Lifecycle Optimization | 2024-11-21 | N/A | 7.5 HIGH |
|
IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 268755.
|
|||||