Vulnerabilities (CVE)

Filtered by CWE-307
Total 299 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-49443 1 Html-js 1 Doracms 2023-12-11 N/A 9.8 CRITICAL
DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.
CVE-2023-48028 1 Kodcloud 1 Kodbox 2023-12-10 N/A 9.8 CRITICAL
kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack.
CVE-2023-24051 1 Connectize 2 Ac21000 G6, Ac21000 G6 Firmware 2023-12-10 N/A 9.8 CRITICAL
A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.
CVE-2023-43699 1 Sick 2 Apu0200, Apu0200 Firmware 2023-12-10 N/A 7.5 HIGH
Improper Restriction of Excessive Authentication Attempts in RDT400 in SICK APU allows an unprivileged remote attacker to guess the password via trial-and-error as the login attempts are not limited.
CVE-2023-39960 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 7.5 HIGH
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available.
CVE-2023-37635 1 Uvdesk 1 Community-skeleton 2023-12-10 N/A 9.8 CRITICAL
UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the application.
CVE-2023-3548 1 Johnsoncontrols 2 Iq Wifi 6, Iq Wifi 6 Firmware 2023-12-10 N/A 9.8 CRITICAL
An unauthorized user could gain account access to IQ Wifi 6 versions prior to 2.0.2 by conducting a brute force authentication attack.
CVE-2023-21709 1 Microsoft 1 Exchange Server 2023-12-10 N/A 9.8 CRITICAL
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2015-20110 1 Jhipster 1 Jhipster 2023-12-10 N/A 7.5 HIGH
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.
CVE-2023-45149 1 Nextcloud 1 Talk 2023-12-10 N/A 4.3 MEDIUM
Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability.
CVE-2023-42769 1 Sielco 30 Analog Fm Transmitter Exc1000gt, Analog Fm Transmitter Exc1000gt Firmware, Analog Fm Transmitter Exc1000gx and 27 more 2023-12-10 N/A 9.8 CRITICAL
The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication, and manipulate the transmitter.
CVE-2023-39958 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 5.3 MEDIUM
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.
CVE-2023-44096 1 Huawei 2 Emui, Harmonyos 2023-12-10 N/A 7.5 HIGH
Vulnerability of brute-force attacks on the device authentication module.Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-46123 1 Fit2cloud 1 Jumpserver 2023-12-10 N/A 5.3 MEDIUM
jumpserver is an open source bastion machine, professional operation and maintenance security audit system that complies with 4A specifications. A flaw in the Core API allows attackers to bypass password brute-force protections by spoofing arbitrary IP addresses. By exploiting this vulnerability, attackers can effectively make unlimited password attempts by altering their apparent IP address for each request. This vulnerability has been patched in version 3.8.0.
CVE-2022-24402 1 Midnightblue 1 Tetra\ 2023-12-10 N/A 7.5 HIGH
The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks.
CVE-2023-32657 1 Weintek 1 Weincloud 2023-12-10 N/A 7.5 HIGH
Weintek Weincloud v0.13.6 could allow an attacker to efficiently develop a brute force attack on credentials with authentication hints from error message responses.
CVE-2023-26271 1 Ibm 1 Guardium Cloud Key Manager 2023-12-10 N/A 7.5 HIGH
IBM Security Guardium Data Encryption (IBM Guardium Cloud Key Manager (GCKM) 1.10.3)) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 248126.
CVE-2023-41350 1 Nokia 2 G-040w-q, G-040w-q Firmware 2023-12-10 N/A 9.8 CRITICAL
Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks.
CVE-2023-3669 1 Codesys 1 Development System 2023-12-10 N/A 3.3 LOW
A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog.
CVE-2023-5754 1 Sielco 6 Polyeco1000, Polyeco1000 Firmware, Polyeco300 and 3 more 2023-12-10 N/A 9.8 CRITICAL
Sielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.