CWE-307
Improper Restriction of Excessive Authentication Attempts
Description
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653
CVEs mapped to this weakness (225)
page 7 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-9928 | Med | 0.34 | 5.3 | 0.00 | Nov 26, 2024 | A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the equipment login. Note that the… | ||
| CVE-2024-47592 | Med | 0.34 | 5.3 | 0.00 | Nov 12, 2024 | SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability. | ||
| CVE-2023-48745 | Med | 0.34 | 5.3 | 0.00 | Jun 4, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in WebFactory Ltd Captcha Code allows Functionality Bypass.This issue affects Captcha Code: from n/a through 2.9. | ||
| CVE-2023-48276 | Med | 0.34 | 5.3 | 0.00 | Jun 4, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in Nitin Rathod WP Forms Puzzle Captcha allows Functionality Bypass.This issue affects WP Forms Puzzle Captcha: from n/a through 4.1. | ||
| CVE-2023-45009 | Med | 0.34 | 5.3 | 0.00 | Jun 4, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in Forge12 Interactive GmbH Captcha/Honeypot for Contact Form 7 allows Functionality Bypass.This issue affects Captcha/Honeypot for Contact Form 7: from n/a through 1.11.3. | ||
| CVE-2023-44235 | Med | 0.34 | 5.3 | 0.00 | Jun 4, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in Devnath verma WP Captcha allows Functionality Bypass.This issue affects WP Captcha: from n/a through 2.0.0. | ||
| CVE-2024-32720 | Med | 0.34 | 5.3 | 0.00 | May 17, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56. | ||
| CVE-2024-32676 | Med | 0.34 | 5.3 | 0.00 | Apr 25, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in LoginPress LoginPress Pro allows Removing Important Client Functionality.This issue affects LoginPress Pro: from n/a before 3.0.0. | ||
| CVE-2023-35697 | Med | 0.34 | 5.3 | 0.01 | Jul 10, 2023 | Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials. | ||
| CVE-2026-35597 | Med | 0.31 | 5.9 | 0.00 | Apr 10, 2026 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls… | ||
| CVE-2024-51720 | Med | 0.31 | 4.8 | 0.00 | Nov 12, 2024 | An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number. | ||
| CVE-2026-49324 | Med | 0.30 | 4.6 | 0.00 | May 29, 2026 | Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a… | ||
| CVE-2025-12896 | Med | 0.29 | 4.4 | 0.00 | Nov 7, 2025 | Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked storage device. | ||
| CVE-2024-8429 | Med | 0.28 | 4.3 | 0.00 | Dec 17, 2024 | Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials. This issue affects WiFiBurada: before 1.0.5. | ||
| CVE-2025-64526 | Med | 0.27 | 5.3 | 0.00 | May 14, 2026 | Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an… | ||
| CVE-2026-44195 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username… | ||
| CVE-2026-40485 | Med | 0.27 | 5.3 | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with… | ||
| CVE-2026-33763 | Med | 0.27 | 5.3 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean… | ||
| CVE-2026-10216 | Low | 0.24 | 3.7 | 0.00 | Jun 1, 2026 | A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The… | ||
| CVE-2026-7671 | Low | 0.24 | 3.7 | 0.01 | May 3, 2026 | A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from… |
- risk 0.34cvss 5.3epss 0.00
A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the equipment login. Note that the…
- risk 0.34cvss 5.3epss 0.00
SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.
- risk 0.34cvss 5.3epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in WebFactory Ltd Captcha Code allows Functionality Bypass.This issue affects Captcha Code: from n/a through 2.9.
- risk 0.34cvss 5.3epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Nitin Rathod WP Forms Puzzle Captcha allows Functionality Bypass.This issue affects WP Forms Puzzle Captcha: from n/a through 4.1.
- risk 0.34cvss 5.3epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Forge12 Interactive GmbH Captcha/Honeypot for Contact Form 7 allows Functionality Bypass.This issue affects Captcha/Honeypot for Contact Form 7: from n/a through 1.11.3.
- risk 0.34cvss 5.3epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Devnath verma WP Captcha allows Functionality Bypass.This issue affects WP Captcha: from n/a through 2.0.0.
- risk 0.34cvss 5.3epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56.
- risk 0.34cvss 5.3epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in LoginPress LoginPress Pro allows Removing Important Client Functionality.This issue affects LoginPress Pro: from n/a before 3.0.0.
- risk 0.34cvss 5.3epss 0.01
Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials.
- risk 0.31cvss 5.9epss 0.00
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls…
- risk 0.31cvss 4.8epss 0.00
An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number.
- risk 0.30cvss 4.6epss 0.00
Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a…
- risk 0.29cvss 4.4epss 0.00
Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked storage device.
- risk 0.28cvss 4.3epss 0.00
Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials. This issue affects WiFiBurada: before 1.0.5.
- risk 0.27cvss 5.3epss 0.00
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an…
- risk 0.27cvss 5.3epss 0.00
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username…
- risk 0.27cvss 5.3epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with…
- risk 0.27cvss 5.3epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The…
- risk 0.24cvss 3.7epss 0.01
A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from…