Total
520 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-30305 | 1 Fortinet | 2 Fortideceptor, Fortisandbox | 2024-11-21 | N/A | 3.7 LOW |
|
An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.
|
|||||
| CVE-2022-30235 | 1 Schneider-electric | 4 Wiser Smart Eer21000, Wiser Smart Eer21000 Firmware, Wiser Smart Eer21001 and 1 more | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
|
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
|
|||||
| CVE-2022-2822 | 1 Octoprint | 1 Octoprint | 2024-11-21 | N/A | 7.5 HIGH |
|
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
|
|||||
| CVE-2022-2650 | 1 Wger | 1 Wger | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2.
|
|||||
| CVE-2022-2321 | 1 Heroiclabs | 1 Nakama | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks.
|
|||||
| CVE-2022-2166 | 1 Joinmastodon | 1 Mastodon | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
|
|||||
| CVE-2022-29084 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2024-11-21 | 10.0 HIGH | 8.1 HIGH |
|
Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 do not restrict excessive authentication attempts in Unisphere GUI. A remote unauthenticated attacker may potentially exploit this vulnerability to brute-force passwords and gain access to the system as the victim. Account takeover is possible if weak passwords are used by users.
|
|||||
| CVE-2022-29056 | 1 Fortinet | 1 Fortimail | 2024-11-21 | N/A | 3.7 LOW |
|
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
|
|||||
| CVE-2022-28386 | 1 Verbatim | 4 Gd25lk01-3637-c, Gd25lk01-3637-c Firmware, Keypad Secure Usb 3.2 Gen 1 and 1 more | 2024-11-21 | 2.1 LOW | 4.6 MEDIUM |
|
An issue was discovered in certain Verbatim drives through 2022-03-31. The security feature for lockout (e.g., requiring a reformat of the drive after 20 failed unlock attempts) does not work as specified. More than 20 attempts may be made. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0.
|
|||||
| CVE-2022-28384 | 1 Verbatim | 4 Keypad Secure Usb 3.2 Gen 1, Keypad Secure Usb 3.2 Gen 1 Firmware, Store \'n\' Go Secure Portable Hdd and 1 more | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
An issue was discovered in certain Verbatim drives through 2022-03-31. Due to an insecure design, they allow an offline brute-force attack for determining the correct passcode, and thus gaining unauthorized access to the stored encrypted data. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0.
|
|||||
| CVE-2022-27516 | 1 Citrix | 3 Application Delivery Controller, Application Delivery Controller Firmware, Gateway | 2024-11-21 | N/A | 5.3 MEDIUM |
|
User login brute force protection functionality bypass
|
|||||
| CVE-2022-26519 | 1 Carrier | 2 Hills Comnav, Hills Comnav Firmware | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials.
|
|||||
| CVE-2022-26314 | 1 Mendix | 1 Forgot Password | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.
|
|||||
| CVE-2022-25820 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 4.2 MEDIUM |
|
A vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password.
|
|||||
| CVE-2022-24689 | 1 Dsk | 1 Dsknet | 2024-11-21 | N/A | 5.3 MEDIUM |
|
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts.
|
|||||
| CVE-2022-24402 | 1 Midnightblue | 1 Tetra\ | 2024-11-21 | N/A | 8.8 HIGH |
|
The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks.
|
|||||
| CVE-2022-24044 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password ...
Show More |
|||||
| CVE-2022-22810 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
|
|||||
| CVE-2022-22561 | 1 Dell | 1 Emc Powerscale Onefs | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
|
Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.
|
|||||
| CVE-2022-22553 | 1 Dell | 1 Emc Appsync | 2024-11-21 | 7.5 HIGH | 8.1 HIGH |
|
Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI. An adjacent unauthenticated attacker could potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.
|
|||||
| CVE-2022-22496 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Server, Linux Kernel and 1 more | 2024-11-21 | 3.3 LOW | 6.5 MEDIUM |
|
While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. While in this mode, it may be susceptible to an offline dictionary attack. IBM X-Force ID: 226942.
|
|||||
| CVE-2022-22487 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Server, Linux Kernel and 1 more | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. A remote attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to both the IBM Spectrum Protect storage agent and the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 with which it communicates. IBM X-Force ID: 226326.
|
|||||
| CVE-2022-22485 | 3 Ibm, Linux, Microsoft | 4 Aix, Spectrum Protect Operations Center, Linux Kernel and 1 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In some cases, an unsuccessful attempt to log into IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14.000 does not cause the administrator's invalid sign-on count to be incremented on the IBM Spectrum Protect Server. An attacker could exploit this vulnerability using brute force techniques to gain unauthorized administrative access to the IBM Spectrum Protect Server. IBM X-Force ID: 226325.
|
|||||
| CVE-2022-22452 | 2 Ibm, Linux | 2 Security Verify Governance, Linux Kernel | 2024-11-21 | N/A | 7.5 HIGH |
|
IBM Security Verify Identity Manager 10.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 224918.
|
|||||
| CVE-2021-44033 | 1 Ionic | 1 Identity Vault | 2024-11-21 | 4.6 MEDIUM | 6.8 MEDIUM |
|
In Ionic Identity Vault before 5.0.5, the protection mechanism for invalid unlock attempts can be bypassed.
|
|||||
| CVE-2021-43958 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability.
|
|||||
| CVE-2021-43298 | 1 Embedthis | 1 Goahead | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response.
|
|||||
| CVE-2021-42544 | 1 Businessdnasolutions | 1 Topease | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
|
Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates gaining privileges.
|
|||||
| CVE-2021-42096 | 2 Debian, Gnu | 2 Debian Linux, Mailman | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
|
|||||
| CVE-2021-41435 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific H ...
Show More |
|||||
| CVE-2021-41171 | 1 Elabftw | 1 Elabftw | 2024-11-21 | 4.0 MEDIUM | 5.9 MEDIUM |
|
eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correc ...
Show More |
|||||
| CVE-2021-3663 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
|
|||||
| CVE-2021-3412 | 1 Redhat | 2 3scale, 3scale Api Management | 2024-11-21 | 5.0 MEDIUM | 7.3 HIGH |
|
It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks.
|
|||||
| CVE-2021-3138 | 1 Discourse | 1 Discourse | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
|
|||||
| CVE-2021-38890 | 4 Ibm, Linux, Microsoft and 1 more | 5 Aix, Sterling Connect\, Linux Kernel and 2 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 209507.
|
|||||
| CVE-2021-38725 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php
|
|||||
| CVE-2021-38474 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2024-11-21 | 5.0 MEDIUM | 6.3 MEDIUM |
|
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface.
|
|||||
| CVE-2021-38155 | 1 Openstack | 1 Keystone | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failu ...
Show More |
|||||
| CVE-2021-37934 | 1 Huntflow | 1 Huntflow Enterprise | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
|
Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.
|
|||||
| CVE-2021-36750 | 2 Sandisk, Zendesk | 3 Secureaccess, Enc Datavault, Enc Vaultapi | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names).
|
|||||