VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 4 of 12
  • CVE-2026-31904HigMar 20, 2026
    risk 0.49cvss 7.5epss 0.00

    The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…

  • CVE-2026-31903HigMar 20, 2026
    risk 0.49cvss 7.5epss 0.00

    The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…

  • CVE-2026-32292HigMar 17, 2026
    risk 0.49cvss 7.5epss 0.01

    The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.

  • CVE-2026-24696HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.00

    The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…

  • CVE-2026-20882HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.00

    The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…

  • CVE-2026-27778HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.01

    The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct…

  • CVE-2025-48014HigMay 20, 2025
    risk 0.49cvss 7.5epss 0.00

    Password guessing limits could be bypassed when using LDAP authentication.

  • CVE-2024-5862HigJun 24, 2024
    risk 0.49cvss 7.5epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation. This issue affects Mia-Med Health Aplication: before 1.0.14.

  • CVE-2018-1373HigMar 2, 2018
    risk 0.49cvss 7.5epss 0.03

    IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 137773.

  • CVE-2017-12316HigNov 16, 2017
    risk 0.49cvss 7.5epss 0.02

    A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login…

  • CVE-2017-14423HigSep 13, 2017
    risk 0.49cvss 7.5epss 0.01

    htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remote attackers to change the DNS configuration via a series of requests.

  • CVE-2002-0628HigJan 7, 2003
    risk 0.49cvss 7.5epss 0.02

    The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute force attack.

  • CVE-1999-1152HigJun 3, 1998
    risk 0.49cvss 7.5epss 0.02

    Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force attack.

  • CVE-2026-33667HigApr 15, 2026
    risk 0.48cvss 7.4epss 0.00

    OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing…

  • CVE-2025-66413HigMar 10, 2026
    risk 0.48cvss 7.4epss 0.00

    Git for Windows is the Windows port of Git. Prior to 2.53.0(2), it is possible to obtain a user's NTLM hash by tricking them into cloning from a malicious server. Since NTLM hashing is weak, it is possible for the attacker to brute-force the user's account name and password.…

  • CVE-2025-14362HigApr 21, 2026
    risk 0.47cvss 7.3epss 0.00

    The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.

  • CVE-2025-10161HigNov 11, 2025
    risk 0.47cvss 7.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass,…

  • CVE-2026-35675HigMay 28, 2026
    risk 0.46cvss 8.2epss 0.00

    phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain…

  • CVE-2025-0417HigApr 1, 2025
    risk 0.46cvss epss 0.00

    Lack of protection against brute force attacks in Valmet DNA visualization in DNA Operate. The possibility to make an arbitrary number of login attempts without any rate limit gives an attacker an increased chance of guessing passwords and then performing switching operations.

  • CVE-2025-23368HigMar 4, 2025
    risk 0.46cvss 8.1epss 0.01

    A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.