VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 1 of 12
  • CVE-2016-9361CriFeb 13, 2017
    risk 0.68cvss 9.8epss 0.20

    An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPort 5600 Series versions prior to 3.7, NPort 5100A Series & NPort P5150A versions…

  • CVE-2001-1291CriJul 12, 2001
    risk 0.67cvss 9.8epss 0.09

    The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing.

  • CVE-2001-1339CriMay 24, 2001
    risk 0.67cvss 9.8epss 0.07

    Beck IPC GmbH IPC@CHIP telnet service does not delay or disconnect users from the service when bad passwords are entered, which makes it easier for remote attackers to conduct brute force password guessing attacks.

  • CVE-2024-41276CriOct 1, 2024
    risk 0.65cvss 9.8epss 0.01

    A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request…

  • CVE-2026-6853CriJun 12, 2026
    risk 0.64cvss 9.8epss 0.00

    Improper restriction of excessive authentication attempts vulnerability in Başbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This issue affects Pause+ Mobile App: from v1.0.6 before v1.5.

  • CVE-2020-37228CriMay 16, 2026
    risk 0.64cvss 9.8epss 0.00

    iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform…

  • CVE-2026-31851CriMar 23, 2026
    risk 0.64cvss 9.8epss 0.00

    Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 does not implement rate limiting or account lockout mechanisms on authentication interfaces. An attacker can perform unlimited authentication attempts against endpoints that rely on credential validation, enabling…

  • CVE-2025-64310CriNov 21, 2025
    risk 0.64cvss 9.8epss 0.00

    EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.

  • CVE-2025-1740CriSep 3, 2025
    risk 0.64cvss 9.8epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Akinsoft MyRezzta allows Authentication Bypass, Password Recovery Exploitation, Brute Force. This issue affects MyRezzta: from s2.03.01 before v2.05.01.

  • CVE-2024-46442CriDec 10, 2024
    risk 0.64cvss 9.8epss 0.01

    An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.

  • CVE-2024-2051CriMar 18, 2024
    risk 0.64cvss 9.8epss 0.01

    CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form.

  • CVE-2023-35039CriDec 7, 2023
    risk 0.64cvss 9.8epss 0.01

    Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.

  • CVE-2020-15786CriSep 9, 2020
    risk 0.64cvss 9.8epss 0.01

    A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions <= V16), SIMATIC HMI Mobile Panels (All versions <= V16), SIMATIC HMI Unified Comfort…

  • CVE-2018-12993CriJun 29, 2018
    risk 0.64cvss 9.8epss 0.01

    onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to conduct brute-force attacks via the onefilecms_username and onefilecms_password fields.

  • CVE-2018-12649CriJun 22, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.

  • CVE-2018-1475CriApr 27, 2018
    risk 0.64cvss 9.8epss 0.02

    IBM BigFix Platform 9.2 and 9.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 140756.

  • CVE-2018-5469CriMar 6, 2018
    risk 0.64cvss 9.8epss 0.03

    An Improper Restriction of Excessive Authentication Attempts issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An improper restriction of excessive authentication vulnerability in the web interface has…

  • CVE-2017-15887CriNov 7, 2017
    risk 0.64cvss 9.8epss 0.02

    An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.

  • CVE-2017-7673CriJul 17, 2017
    risk 0.64cvss 9.8epss 0.02

    Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.

  • CVE-2017-11187CriJul 12, 2017
    risk 0.64cvss 9.8epss 0.01

    phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks that try many passwords in attempted logins quickly.