Filtered by vendor
Subscriptions
Total
389 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-39917 | 1 Neutrinolabs | 1 Xrdp | 2024-11-21 | 7.2 High |
xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in `/etc/xrdp/sesman.ini`. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts. | ||||
CVE-2024-39874 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 7.5 High |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its Client Communication component. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks. | ||||
CVE-2024-39873 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 7.5 High |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its web API. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks. | ||||
CVE-2024-35747 | 1 Contact Form Builder Project | 1 Contact Form Builder | 2024-11-21 | 5.3 Medium |
Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through 2.1.7. | ||||
CVE-2024-32868 | 2024-11-21 | 6.5 Medium | ||
ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0. | ||||
CVE-2024-32774 | 2024-11-21 | 4.3 Medium | ||
Improper Restriction of Excessive Authentication Attempts vulnerability in Metagauss ProfileGrid allows Removing Important Client Functionality.This issue affects ProfileGrid : from n/a through 5.8.2. | ||||
CVE-2024-32720 | 2024-11-21 | 5.3 Medium | ||
Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Appointment Hour Booking allows Removing Important Client Functionality.This issue affects Appointment Hour Booking: from n/a through 1.4.56. | ||||
CVE-2024-32676 | 2024-11-21 | 5.3 Medium | ||
Improper Restriction of Excessive Authentication Attempts vulnerability in LoginPress LoginPress Pro allows Removing Important Client Functionality.This issue affects LoginPress Pro: from n/a before 3.0.0. | ||||
CVE-2024-30390 | 2024-11-21 | 5.3 Medium | ||
An Improper Restriction of Excessive Authentication Attempts vulnerability in Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a limited Denial of Service (DoS) to the management plane. When an incoming connection was blocked because it exceeded the connections-per-second rate-limit, the system doesn't consider existing connections anymore for subsequent connection attempts so that the connection limit can be exceeded. This issue affects Junos OS Evolved: * All versions before 21.4R3-S4-EVO, * 22.1-EVO versions before 22.1R3-S3-EVO, * 22.2-EVO versions before 22.2R3-S2-EVO, * 22.3-EVO versions before 22.3R2-S1-EVO, 22.3R3-EVO. | ||||
CVE-2024-2051 | 2024-11-21 | 9.8 Critical | ||
CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form. | ||||
CVE-2024-28833 | 1 Checkmk | 1 Checkmk | 2024-11-21 | 5.9 Medium |
Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms. | ||||
CVE-2024-28022 | 1 Hitachienergy | 2 Foxman-un, Unem | 2024-11-21 | 6.5 Medium |
A vulnerability exists in the UNEM server / APIGateway that if exploited allows a malicious user to perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to other components in the same security realm using the targeted account. | ||||
CVE-2024-25031 | 1 Ibm | 2 Storage Defender, Storage Defender Resiliency Service | 2024-11-21 | 6.5 Medium |
IBM Storage Defender - Resiliency Service 2.0.0 through 2.0.4 uses an inadequate account lockout setting that could allow an attacker on the network to brute force account credentials. IBM X-Force ID: 281678. | ||||
CVE-2024-24767 | 2024-11-21 | 9.1 Critical | ||
CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. This vulnerability allows attackers to get super user-level access over the server. Version 0.4.7 contains a patch for this issue. | ||||
CVE-2024-22425 | 2024-11-21 | 6.5 Medium | ||
Dell RecoverPoint for Virtual Machines 5.3.x, 6.0.SP1 contains a brute force/dictionary attack vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to launch a brute force attack or a dictionary attack against the RecoverPoint login form. This allows attackers to brute-force the password of valid users in an automated manner. | ||||
CVE-2024-22317 | 1 Ibm | 1 App Connect Enterprise | 2024-11-21 | 9.1 Critical |
IBM App Connect Enterprise 11.0.0.1 through 11.0.0.24 and 12.0.1.0 through 12.0.11.0 could allow a remote attacker to obtain sensitive information or cause a denial of service due to improper restriction of excessive authentication attempts. IBM X-Force ID: 279143. | ||||
CVE-2024-21662 | 1 Redhat | 1 Openshift Gitops | 2024-11-21 | 7.5 High |
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch. | ||||
CVE-2024-21652 | 1 Redhat | 1 Openshift Gitops | 2024-11-21 | 9.8 Critical |
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue. | ||||
CVE-2024-1104 | 2024-11-21 | 7.5 High | ||
An unauthenticated remote attacker can bypass the brute force prevention mechanism and disturb the webservice for all users. | ||||
CVE-2023-6928 | 1 Eurotel | 2 Etl3100, Etl3100 Firmware | 2024-11-21 | 9.8 Critical |
EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system. |