Vulnerabilities (CVE)

Filtered by CWE-307
Total 123 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-28909 1 Bab-technologie 2 Eibport, Eibport Firmware 2021-09-21 5.0 MEDIUM 9.8 CRITICAL
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers to access uncontrolled the login service at /webif/SecurityModule in a brute force attack. The password could be weak and default username is known as 'admin'. This is usable and part of an attack chain to gain SSH root access.
CVE-2021-28911 1 Bab-technologie 2 Eibport, Eibport Firmware 2021-09-20 10.0 HIGH 9.8 CRITICAL
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access.
CVE-2021-38725 1 Thedaylightstudio 1 Fuel Cms 2021-09-20 5.0 MEDIUM 5.3 MEDIUM
Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php
CVE-2021-22915 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2021-09-20 5.0 MEDIUM 9.8 CRITICAL
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
CVE-2021-32522 1 Qsan 3 Sanos, Storage Manager, Xevo 2021-09-20 5.0 MEDIUM 9.8 CRITICAL
Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN Document.
CVE-2021-32705 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2021-09-20 5.0 MEDIUM 7.5 HIGH
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
CVE-2021-32703 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2021-09-20 5.0 MEDIUM 5.3 MEDIUM
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
CVE-2021-32678 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2021-09-20 5.0 MEDIUM 5.3 MEDIUM
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.
CVE-2021-22003 2 Linux, Vmware 5 Linux Kernel, Cloud Foundation, Identity Manager and 2 more 2021-09-09 5.0 MEDIUM 7.5 HIGH
VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may not be practical based on lockout policy configuration and password complexity for the target account.
CVE-2021-29987 2 Linux, Mozilla 3 Linux Kernel, Firefox, Thunderbird 2021-08-25 4.3 MEDIUM 6.5 MEDIUM
After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91.
CVE-2020-18698 1 Talelin 1 Lin-cms-flask 2021-08-23 5.0 MEDIUM 9.8 CRITICAL
Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'.
CVE-2021-20427 2 Ibm, Linux 2 Security Guardium, Linux Kernel 2021-08-19 5.0 MEDIUM 7.5 HIGH
IBM Security Guardium 11.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 196314.
CVE-2021-38155 1 Openstack 1 Keystone 2021-08-18 5.0 MEDIUM 7.5 HIGH
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
CVE-2021-35472 2 Debian, Lemonldap-ng 2 Debian Linux, Lemonldap\ 2021-08-11 6.0 MEDIUM 8.8 HIGH
An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.
CVE-2021-27943 1 Vizio 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more 2021-08-11 5.0 MEDIUM 7.5 HIGH
The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations.
CVE-2021-3663 1 Firefly-iii 1 Firefly Iii 2021-08-04 5.0 MEDIUM 7.5 HIGH
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
CVE-2020-23283 1 Mv 1 Mconnect 2021-08-02 5.0 MEDIUM 7.5 HIGH
Information disclosure in Logon Page in MV's mConnect application v02.001.00 allows an attacker to know valid users from the application's database via brute force.
CVE-2019-13394 1 Netgear 2 Cg3700b, Cg3700b Firmware 2021-07-21 5.0 MEDIUM 9.8 CRITICAL
The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP.
CVE-2020-6875 1 Zte 2 Zxone 19700 Snpe, Zxone 19700 Snpe Firmware 2021-07-21 5.0 MEDIUM 9.8 CRITICAL
A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This affects: <ZXONE 19700 SNPE><ZXONE8700V1.40R2B13_SNPE>
CVE-2021-3412 1 Redhat 2 3scale, 3scale Api Management 2021-07-08 5.0 MEDIUM 7.3 HIGH
It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks.