VYPR

CWE-307

Improper Restriction of Excessive Authentication Attempts

BaseDraft

Description

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-560 · CAPEC-565 · CAPEC-600 · CAPEC-652 · CAPEC-653

CVEs mapped to this weakness (225)

page 7 of 12
  • CVE-2024-9928MedNov 26, 2024
    risk 0.34cvss 5.3epss 0.00

    A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the equipment login. Note that the…

  • CVE-2024-47592MedNov 12, 2024
    risk 0.34cvss 5.3epss 0.00

    SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.

  • CVE-2023-48745MedJun 4, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in WebFactory Ltd Captcha Code allows Functionality Bypass.This issue affects Captcha Code: from n/a through 2.9.

  • CVE-2023-48276MedJun 4, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Nitin Rathod WP Forms Puzzle Captcha allows Functionality Bypass.This issue affects WP Forms Puzzle Captcha: from n/a through 4.1.

  • CVE-2023-45009MedJun 4, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Forge12 Interactive GmbH Captcha/Honeypot for Contact Form 7 allows Functionality Bypass.This issue affects Captcha/Honeypot for Contact Form 7: from n/a through 1.11.3.

  • CVE-2023-44235MedJun 4, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Devnath verma WP Captcha allows Functionality Bypass.This issue affects WP Captcha: from n/a through 2.0.0.

  • CVE-2024-32720MedMay 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56.

  • CVE-2024-32676MedApr 25, 2024
    risk 0.34cvss 5.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in LoginPress LoginPress Pro allows Removing Important Client Functionality.This issue affects LoginPress Pro: from n/a before 3.0.0.

  • CVE-2023-35697MedJul 10, 2023
    risk 0.34cvss 5.3epss 0.01

    Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials.

  • CVE-2026-35597MedApr 10, 2026
    risk 0.31cvss 5.9epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls…

  • CVE-2024-51720MedNov 12, 2024
    risk 0.31cvss 4.8epss 0.00

    An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number.

  • CVE-2026-49324MedMay 29, 2026
    risk 0.30cvss 4.6epss 0.00

    Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a…

  • CVE-2025-12896MedNov 7, 2025
    risk 0.29cvss 4.4epss 0.00

    Improper resource management in firmware of some Solidigm DC Products may allow an attacker with local or physical access to gain un-authorized access to a locked storage device.

  • CVE-2024-8429MedDec 17, 2024
    risk 0.28cvss 4.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials. This issue affects WiFiBurada: before 1.0.5.

  • CVE-2025-64526MedMay 14, 2026
    risk 0.27cvss 5.3epss 0.00

    Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an…

  • CVE-2026-44195MedMay 13, 2026
    risk 0.27cvss 5.3epss 0.00

    OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username…

  • CVE-2026-40485MedApr 18, 2026
    risk 0.27cvss 5.3epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with…

  • CVE-2026-33763MedMar 27, 2026
    risk 0.27cvss 5.3epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean…

  • CVE-2026-10216LowJun 1, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The…

  • CVE-2026-7671LowMay 3, 2026
    risk 0.24cvss 3.7epss 0.01

    A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from…