Filtered by CWE-307
Filtered by vendor Subscriptions
Total 389 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-38273 1 Ibm 1 Cloud Pak System 2024-11-21 7.5 High
IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733.
CVE-2023-37832 1 Elenos 2 Etg150, Etg150 Firmware 2024-11-21 7.5 High
A lack of rate limiting in Elenos ETG150 FM transmitter v3.12 allows attackers to obtain user credentials via brute force and cause other unspecified impacts.
CVE-2023-37635 1 Uvdesk 1 Community-skeleton 2024-11-21 9.8 Critical
UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the application.
CVE-2023-36917 1 Sap 1 Businessobjects Business Intelligence 2024-11-21 5.9 Medium
SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account.
CVE-2023-35697 2 Sick, Sick Ag 3 Icr890-4, Icr890-4 Firmware, Icr890-4 2024-11-21 5.3 Medium
Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials.
CVE-2023-35039 1 Bedevious 1 Password Reset With Code For Wordpress Rest Api 2024-11-21 9.8 Critical
Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.
CVE-2023-34243 1 Tgstation13 1 Tgstation-server 2024-11-21 5.8 Medium
TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban.
CVE-2023-34001 2024-11-21 5.3 Medium
Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25.
CVE-2023-33868 1 Piigab 2 M-bus 900s, M-bus 900s Firmware 2024-11-21 5.9 Medium
The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication.
CVE-2023-33759 1 Splicecom 1 Maximiser Soft Pbx 2024-11-21 9.8 Critical
SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.
CVE-2023-33754 1 Inpiazza 1 Cloud Wifi 2024-11-21 6.5 Medium
The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials.
CVE-2023-32657 1 Weintek 1 Weincloud 2024-11-21 5.3 Medium
Weintek Weincloud v0.13.6 could allow an attacker to efficiently develop a brute force attack on credentials with authentication hints from error message responses.
CVE-2023-32319 1 Nextcloud 1 Nextcloud Server 2024-11-21 8.1 High
Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-32074 1 Nextcloud 1 User Oidc 2024-11-21 8 High
user_oidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed in user_oidc app. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.2
CVE-2023-2675 1 Linagora 1 Twake 2024-11-21 9.8 Critical
Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 2023.Q1.1223.
CVE-2023-2531 1 Azuracast 1 Azuracast 2024-11-21 9.8 Critical
Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3.
CVE-2023-29301 1 Adobe 1 Coldfusion 2024-11-21 7.5 High
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the confidentiality of the user. Exploitation of this issue does not require user interaction.
CVE-2023-29005 1 Flask-appbuilder Project 1 Flask-appbuilder 2024-11-21 7.5 High
Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`.
CVE-2023-28847 1 Nextcloud 1 Nextcloud Server 2024-11-21 3.1 Low
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.
CVE-2023-27746 1 Blackvue 4 Dr750-2ch Ir Lte, Dr750-2ch Ir Lte Firmware, Dr750-2ch Lte and 1 more 2024-11-21 9.8 Critical
BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted.