Vulnerabilities (CVE)

Filtered by CWE-307
Total 299 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-44111 1 Huawei 2 Emui, Harmonyos 2023-12-10 N/A 7.5 HIGH
Vulnerability of brute-force attacks on the device authentication module.Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2023-29301 1 Adobe 1 Coldfusion 2023-12-10 N/A 7.5 HIGH
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the confidentiality of the user. Exploitation of this issue does not require user interaction.
CVE-2023-42818 1 Fit2cloud 1 Jumpserver 2023-12-10 N/A 9.8 CRITICAL
JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2023-45148 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 4.3 MEDIUM
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached.
CVE-2022-43904 1 Ibm 1 Security Guardium 2023-12-10 N/A 7.5 HIGH
IBM Security Guardium 11.3 and 11.4 could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts. IBM X-Force ID: 240895.
CVE-2023-27152 1 Opnsense 1 Opnsense 2023-12-10 N/A 9.8 CRITICAL
DECISO OPNsense 23.1 does not impose rate limits for authentication, allowing attackers to perform a brute-force attack to bypass authentication.
CVE-2023-37832 1 Elenos 2 Etg150, Etg150 Firmware 2023-12-10 N/A 7.5 HIGH
A lack of rate limiting in Elenos ETG150 FM transmitter v3.12 allows attackers to obtain user credentials via brute force and cause other unspecified impacts.
CVE-2023-40706 1 Opto22 2 Snap Pac S1, Snap Pac S1 Firmware 2023-12-10 N/A 9.8 CRITICAL
There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login.
CVE-2023-1665 1 Linagora 1 Twake 2023-12-10 N/A 9.8 CRITICAL
Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 0.0.0.
CVE-2023-26756 1 Revive 1 Adserver 2023-12-10 N/A 7.5 HIGH
The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks.
CVE-2023-29005 1 Flask-appbuilder Project 1 Flask-appbuilder 2023-12-10 N/A 7.5 HIGH
Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.
CVE-2022-42478 1 Fortinet 1 Fortisiem 2023-12-10 N/A 8.8 HIGH
An Improper Restriction of Excessive Authentication Attempts [CWE-307] in FortiSIEM below 7.0.0 may allow a non-privileged user with access to several endpoints to brute force attack these endpoints.
CVE-2023-34243 1 Tgstation13 1 Tgstation-server 2023-12-10 N/A 5.3 MEDIUM
TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.
CVE-2023-3173 1 Froxlor 1 Froxlor 2023-12-10 N/A 9.8 CRITICAL
Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20.
CVE-2023-27100 2 Netgate, Pfsense 2 Pfsense Plus, Pfsense 2023-12-10 N/A 9.8 CRITICAL
Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
CVE-2023-23755 1 Joomla 1 Joomla\! 2023-12-10 N/A 7.5 HIGH
An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
CVE-2022-36413 1 Zohocorp 1 Manageengine Adselfservice Plus 2023-12-10 N/A 9.1 CRITICAL
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
CVE-2023-32319 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 6.5 MEDIUM
Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-25820 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 7.8 HIGH
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x prior to 24.0.10, 23.0.x prior to 23.0.12.5, 22.x prior to 22.2.0.10, and 21.x prior to 21.0.9.10, when an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint. Nextcloud Server should upgraded to 24.0.10 or 25.0.4 and Nextcloud Enterprise Server should upgraded to 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, or 25.0.4 to receive a patch. No known workarounds are available.
CVE-2023-25818 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 7.1 HIGH
Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.