VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 10 of 12
  • CVE-2025-55003Aug 9, 2025
    risk 0.00cvss epss 0.00

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password…

  • CVE-2025-54998Aug 9, 2025
    risk 0.00cvss epss 0.00

    OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems.…

  • CVE-2025-6015Aug 1, 2025
    risk 0.00cvss epss 0.00

    Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

  • CVE-2025-6004Aug 1, 2025
    risk 0.00cvss epss 0.00

    Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23.

  • CVE-2024-9342Jul 16, 2025
    risk 0.00cvss epss 0.00

    In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts.

  • CVE-2025-52997Jun 30, 2025
    risk 0.00cvss epss 0.00

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers…

  • CVE-2025-47951Jun 16, 2025
    risk 0.00cvss epss 0.00

    Weblate is a web based localization tool. Prior to version 5.12, the verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. This issue has…

  • CVE-2025-43863Jun 12, 2025
    risk 0.00cvss epss 0.00

    vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change…

  • CVE-2024-57602Feb 12, 2025
    risk 0.00cvss epss 0.01

    An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.

  • CVE-2024-57610Feb 6, 2025
    risk 0.00cvss epss 0.01

    A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core…

  • CVE-2024-4629Sep 3, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system…

  • CVE-2024-39398Aug 14, 2024
    risk 0.00cvss epss 0.01

    Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to perform brute…

  • CVE-2024-32868Apr 25, 2024
    risk 0.00cvss epss 0.00

    ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there…

  • CVE-2024-21662Mar 18, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in…

  • CVE-2024-21652Mar 18, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the…

  • CVE-2024-24767Mar 6, 2024
    risk 0.00cvss epss 0.01

    CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the…

  • CVE-2024-21500Feb 17, 2024
    risk 0.00cvss epss 0.01

    All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Restriction of Excessive Authentication Attempts via the two-factor authentication (2FA). Although the application blocks the user after several failed attempts to provide 2FA codes,…

  • CVE-2023-49810Jan 10, 2024
    risk 0.00cvss epss 0.01

    A login attempt restriction bypass vulnerability exists in the checkLoginAttempts functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to captcha bypass, which can be abused by an attacker to brute force user credentials. An…

  • CVE-2023-46745Nov 17, 2023
    risk 0.00cvss epss 0.01

    LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions the login method has no rate limit. An attacker may be able to leverage this vulnerability to gain…

  • CVE-2015-20110Oct 31, 2023
    risk 0.00cvss epss 0.01

    JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course…