CWE-307
Improper Restriction of Excessive Authentication Attempts
Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (225)
page 11 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-3173 | 0.00 | — | 0.01 | Jun 9, 2023 | Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. | |||
| CVE-2023-2531 | 0.00 | — | 0.01 | May 5, 2023 | Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3. | |||
| CVE-2022-2525 | 0.00 | — | 0.01 | Apr 15, 2023 | Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20. | |||
| CVE-2023-29005 | 0.00 | — | 0.01 | Apr 10, 2023 | Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`. | |||
| CVE-2023-1539 | — | 0.00 | — | 0.01 | Mar 21, 2023 | Improper Restriction of Excessive Authentication Attempts in GitHub repository answerdev/answer prior to 1.0.6. | ||
| CVE-2023-26476 | 0.00 | — | 0.01 | Mar 2, 2023 | XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and… | |||
| CVE-2023-0860 | — | 0.00 | — | 0.01 | Feb 16, 2023 | Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4. | ||
| CVE-2023-25156 | 0.00 | — | 0.01 | Feb 15, 2023 | Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and… | |||
| CVE-2022-4797 | — | 0.00 | — | 0.01 | Dec 28, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1. | ||
| CVE-2022-2650 | — | 0.00 | — | 0.01 | Nov 24, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2. | ||
| CVE-2022-39314 | 0.00 | — | 0.00 | Oct 24, 2022 | Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth… | |||
| CVE-2022-2822 | 0.00 | — | 0.01 | Aug 15, 2022 | An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts. | |||
| CVE-2022-2321 | 0.00 | — | 0.01 | Jul 5, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks. | |||
| CVE-2020-18698 | — | 0.00 | — | 0.02 | Aug 16, 2021 | Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'. | ||
| CVE-2021-38155 | — | 0.00 | — | 0.02 | Aug 6, 2021 | OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times,… | ||
| CVE-2021-3663 | 0.00 | — | 0.01 | Jul 25, 2021 | firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts | |||
| CVE-2020-25827 | — | 0.00 | — | 0.02 | Sep 27, 2020 | An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests… | ||
| CVE-2020-11052 | 0.00 | — | 0.02 | May 7, 2020 | In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user… | |||
| CVE-2020-8827 | — | 0.00 | — | 0.02 | Apr 8, 2020 | As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. | ||
| CVE-2013-1895 | 0.00 | — | 0.03 | Jan 28, 2020 | The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten. |
- CVE-2023-3173Jun 9, 2023risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20.
- CVE-2023-2531May 5, 2023risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3.
- CVE-2022-2525Apr 15, 2023risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
- CVE-2023-29005Apr 10, 2023risk 0.00cvss —epss 0.01
Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.
- CVE-2023-1539Mar 21, 2023risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository answerdev/answer prior to 1.0.6.
- CVE-2023-26476Mar 2, 2023risk 0.00cvss —epss 0.01
XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and…
- CVE-2023-0860Feb 16, 2023risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository modoboa/modoboa-installer prior to 2.0.4.
- CVE-2023-25156Feb 15, 2023risk 0.00cvss —epss 0.01
Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrade to v12.0 or later to receive a patch. As a workaround, users may install and…
- CVE-2022-4797Dec 28, 2022risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1.
- CVE-2022-2650Nov 24, 2022risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2.
- CVE-2022-39314Oct 24, 2022risk 0.00cvss —epss 0.00
Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth…
- CVE-2022-2822Aug 15, 2022risk 0.00cvss —epss 0.01
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
- CVE-2022-2321Jul 5, 2022risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks.
- CVE-2020-18698Aug 16, 2021risk 0.00cvss —epss 0.02
Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'.
- CVE-2021-38155Aug 6, 2021risk 0.00cvss —epss 0.02
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times,…
- CVE-2021-3663Jul 25, 2021risk 0.00cvss —epss 0.01
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
- CVE-2020-25827Sep 27, 2020risk 0.00cvss —epss 0.02
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests…
- CVE-2020-11052May 7, 2020risk 0.00cvss —epss 0.02
In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user…
- CVE-2020-8827Apr 8, 2020risk 0.00cvss —epss 0.02
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
- CVE-2013-1895Jan 28, 2020risk 0.00cvss —epss 0.03
The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten.