Total
375 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2002-0628 | 1 Polycom | 8 Viewstation 128, Viewstation 512, Viewstation Dcp and 5 more | 2024-02-09 | 5.0 MEDIUM | 7.5 HIGH |
| The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute force attack. | |||||
| CVE-2001-1291 | 1 3com | 2 Superstack Ii Ps Hub 40, Superstack Ii Ps Hub 40 Firmware | 2024-02-09 | 10.0 HIGH | 9.8 CRITICAL |
| The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing. | |||||
| CVE-2001-0395 | 1 Lightwavemo | 2 Consoleserver 3200, Consoleserver 3200 Firmware | 2024-02-09 | 7.5 HIGH | 9.8 CRITICAL |
| Lightwave ConsoleServer 3200 does not disconnect users after unsuccessful login attempts, which could allow remote attackers to conduct brute force password guessing. | |||||
| CVE-2023-38273 | 1 Ibm | 1 Cloud Pak System | 2024-02-08 | N/A | 7.5 HIGH |
| IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733. | |||||
| CVE-2023-50326 | 1 Ibm | 1 Powersc | 2024-02-02 | N/A | 7.5 HIGH |
| IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 275107. | |||||
| CVE-2022-45790 | 1 Omron | 92 Cj1g-cpu42p, Cj1g-cpu42p Firmware, Cj1g-cpu43p and 89 more | 2024-01-29 | N/A | 9.1 CRITICAL |
| The Omron FINS protocol has an authenticated feature to prevent access to memory regions. Authentication is susceptible to bruteforce attack, which may allow an adversary to gain access to protected memory. This access can allow overwrite of values including programmed logic. | |||||
| CVE-2024-22317 | 1 Ibm | 1 App Connect Enterprise | 2024-01-24 | N/A | 9.1 CRITICAL |
| IBM App Connect Enterprise 11.0.0.1 through 11.0.0.24 and 12.0.1.0 through 12.0.11.0 could allow a remote attacker to obtain sensitive information or cause a denial of service due to improper restriction of excessive authentication attempts. IBM X-Force ID: 279143. | |||||
| CVE-2021-38155 | 1 Openstack | 1 Keystone | 2024-01-21 | 5.0 MEDIUM | 7.5 HIGH |
| OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. | |||||
| CVE-2023-49792 | 1 Nextcloud | 1 Nextcloud Server | 2024-01-03 | N/A | 9.8 CRITICAL |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-6928 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2023-12-29 | N/A | 9.8 CRITICAL |
| EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system. | |||||
| CVE-2023-6272 | 1 Thememylogin | 1 2fa | 2023-12-22 | N/A | 9.8 CRITICAL |
| The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits. | |||||
| CVE-2023-50444 | 1 Primx | 3 Zed\!, Zedmail, Zonecentral | 2023-12-20 | N/A | 7.5 HIGH |
| By default, .ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; and ZED! for Windows, Mac, Linux before 2023.5 include an encrypted version of sensitive user information, which could allow an unauthenticated attacker to obtain it via brute force. | |||||
| CVE-2023-49278 | 1 Umbraco | 1 Umbraco Cms | 2023-12-15 | N/A | 5.3 MEDIUM |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.4, a brute force exploit can be used to collect valid usernames. Versions 8.18.10, 10.8.1, and 12.3.4 contain a patch for this issue. | |||||
| CVE-2023-35039 | 1 Bedevious | 1 Password Reset With Code For Wordpress Rest Api | 2023-12-12 | N/A | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15. | |||||
| CVE-2023-49443 | 1 Html-js | 1 Doracms | 2023-12-11 | N/A | 9.8 CRITICAL |
| DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack. | |||||
| CVE-2023-48028 | 1 Kodcloud | 1 Kodbox | 2023-11-25 | N/A | 9.8 CRITICAL |
| kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack. | |||||
| CVE-2023-41350 | 1 Nokia | 2 G-040w-q, G-040w-q Firmware | 2023-11-13 | N/A | 9.8 CRITICAL |
| Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks. | |||||
| CVE-2017-14423 | 1 Dlink | 2 Dir-850l, Dir-850l Firmware | 2023-11-08 | 5.0 MEDIUM | 7.5 HIGH |
| htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remote attackers to change the DNS configuration via a series of requests. | |||||
| CVE-2023-37832 | 1 Elenos | 2 Etg150, Etg150 Firmware | 2023-11-08 | N/A | 7.5 HIGH |
| A lack of rate limiting in Elenos ETG150 FM transmitter v3.12 allows attackers to obtain user credentials via brute force and cause other unspecified impacts. | |||||
| CVE-2015-20110 | 1 Jhipster | 1 Jhipster | 2023-11-08 | N/A | 7.5 HIGH |
| JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters. | |||||