Vulnerabilities (CVE)

Filtered by CWE-307
Total 299 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-1539 1 Answer 1 Answer 2023-12-10 N/A 5.3 MEDIUM
Improper Restriction of Excessive Authentication Attempts in GitHub repository answerdev/answer prior to 1.0.6.
CVE-2023-32224 1 Dlink 2 Dsl-224, Dsl-224 Firmware 2023-12-10 N/A 9.8 CRITICAL
D-Link DSL-224 firmware version 3.0.10 CWE-307: Improper Restriction of Excessive Authentication Attempts
CVE-2022-43947 1 Fortinet 2 Fortios, Fortiproxy 2023-12-10 N/A 8.8 HIGH
An improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.
CVE-2023-35172 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 9.1 CRITICAL
NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available.
CVE-2023-33754 1 Inpiazza 1 Cloud Wifi 2023-12-10 N/A 6.5 MEDIUM
The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials.
CVE-2023-36917 1 Sap 1 Businessobjects Business Intelligence 2023-12-10 N/A 7.5 HIGH
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account.
CVE-2022-2525 1 Calibre-web Project 1 Calibre-web 2023-12-10 N/A 9.8 CRITICAL
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
CVE-2023-28847 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 7.5 HIGH
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.
CVE-2023-35697 1 Sick 2 Icr890-4, Icr890-4 Firmware 2023-12-10 N/A 7.5 HIGH
Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials.
CVE-2023-2531 1 Azuracast 1 Azuracast 2023-12-10 N/A 9.8 CRITICAL
Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3.
CVE-2023-32320 1 Nextcloud 1 Nextcloud Server 2023-12-10 N/A 7.5 HIGH
Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue.
CVE-2023-27746 1 Blackvue 4 Dr750-2ch Ir Lte, Dr750-2ch Ir Lte Firmware, Dr750-2ch Lte and 1 more 2023-12-10 N/A 9.8 CRITICAL
BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted.
CVE-2023-32074 1 Nextcloud 1 User Oidc 2023-12-10 N/A 9.8 CRITICAL
user_oidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed in user_oidc app. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.2
CVE-2023-33868 1 Piigab 2 M-bus 900s, M-bus 900s Firmware 2023-12-10 N/A 9.8 CRITICAL
The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication.
CVE-2022-32757 1 Ibm 1 Security Directory Suite Va 2023-12-10 N/A 7.5 HIGH
IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 228510.
CVE-2022-43377 1 Schneider-electric 10 Netbotz 355, Netbotz 355 Firmware, Netbotz 450 and 7 more 2023-12-10 N/A 7.5 HIGH
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover when a brute force attack is performed on the account. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior)
CVE-2023-25156 1 Kiwitcms 1 Kiwi Tcms 2023-12-10 N/A 9.8 CRITICAL
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and configure a rate-limiting proxy in front of Kiwi TCMS.
CVE-2022-29056 1 Fortinet 1 Fortimail 2023-12-10 N/A 5.3 MEDIUM
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
CVE-2022-4797 1 Usememos 1 Memos 2023-12-10 N/A 4.3 MEDIUM
Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1.
CVE-2023-26208 1 Fortinet 1 Fortiauthenticator 2023-12-10 N/A 5.3 MEDIUM
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiAuthenticator 6.4.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.