CWE-307— Improper Restriction of Excessive Authentication Attempts
539 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-307page 3 of 11
- CVE-2020-4232HIGHCVSS 7.5EG 7.52020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow an attacker to enumerate usernames to find valid login credentials which could be used to attempt further attacks against the system. IBM X-Force ID: 175336.
- CVE-2020-4400HIGHCVSS 7.5EG 7.52020-07-22
IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 179478.
- CVE-2020-4567CRITICALCVSS 9.8EG 9.82020-07-29
IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 184156.
- CVE-2020-4891MEDIUMCVSS 5.5EG 5.52021-03-16
IBM Spectrum Scale 5.0.0 through 5.0.5.5 and 5.1.0 through 5.1.0.2 uses an inadequate account lockout setting that could allow a local user er to brute force Rest API account credentials. IBM X-Force ID: 190974.
- CVE-2020-5141MEDIUMCVSS 6.5EG 6.52020-10-12
A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.1…
- CVE-2020-6852CRITICALCVSS 9.8EG 9.82020-04-02
CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required.
- CVE-2020-6875CRITICALCVSS 9.8EG 9.82020-10-05
A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This aff…
- CVE-2020-7057MEDIUMCVSS 5.3EG 5.32020-01-14
Hikvision DVR DS-7204HGHI-F1 V4.0.1 build 180903 Web Version sends a different response for failed ISAPI/Security/sessionLogin/capabilities login attempts depending on whether the user account exists, which might make it easier to enumerat…
- CVE-2020-7508CRITICALCVSS 9.8EG 9.82020-06-16
A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists in Easergy T300 (Firmware version 1.5.2 and older) which could allow an attacker to gain full access by brute force.
- CVE-2020-7525HIGHCVSS 7.5EG 7.52020-08-31
Improper Restriction of Excessive Authentication Attempts vulnerability exists in all hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) which could allow an attacker to guess a password when brute force is used.
- CVE-2020-7995CRITICALCVSS 9.8EG 9.82020-01-26
The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
- CVE-2020-8202MEDIUMCVSS 5.3EG 5.32020-07-30
Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 allowed to perform a denial of service attack when using a very long password.
- CVE-2020-8228MEDIUMCVSS 5.3EG 5.32020-10-05
A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times.
- CVE-2020-8790CRITICALCVSS 9.8EG 9.82020-05-04
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could allow a remote attacker to discover use…
- CVE-2020-8827HIGHCVSS 7.5EG 7.52020-04-08
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
- CVE-2021-1311MEDIUMCVSS 5.4EG 5.42021-01-13
A vulnerability in the reclaim host role feature of Cisco Webex Meetings and Cisco Webex Meetings Server could allow an authenticated, remote attacker to take over the host role during a meeting. This vulnerability is due to a lack of prot…
- CVE-2021-20415HIGHCVSS 7.5EG 7.52021-07-07
IBM Guardium Data Encryption (GDE) 4.0.0.4 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 196217.
- CVE-2021-20427HIGHCVSS 7.5EG 7.52021-08-11
IBM Security Guardium 11.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 196314.
- CVE-2021-20635MEDIUMCVSS 6.5EG 6.52021-02-12
Improper restriction of excessive authentication attempts in LOGITEC LAN-WH450N/GR allows an attacker in the wireless range of the device to recover PIN and access the network.
- CVE-2021-22003HIGHCVSS 7.5EG 7.52021-08-31
VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may n…
- CVE-2021-22530HIGHCVSS 8.2EG 8.22024-08-28
A vulnerability identified in NetIQ Advance Authentication that doesn't enforce account lockout when brute force attack is performed on API based login. This issue may lead to user account compromise if successful or may impact server perf…
- CVE-2021-22640HIGHCVSS 7.5EG 9.82022-07-28
An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks.
- CVE-2021-22737CRITICALCVSS 9.8EG 9.82021-05-26
Insufficiently Protected Credentials vulnerability exists in homeLYnk (Wiser For KNX) and spaceLYnk V2.60 and prior that could cause unauthorized access of when credentials are discovered after a brute force attack.
- CVE-2021-22818HIGHCVSS 7.5EG 7.52022-01-28
A CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to gain unauthorized access to the charging station web interface by performing brute force attacks. Affected Products: E…
- CVE-2021-22915CRITICALCVSS 9.8EG 9.82021-06-11
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such…
- CVE-2021-25309CRITICALCVSS 9.8EG 9.82021-03-02
The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) al…
- CVE-2021-25676HIGHCVSS 7.5EG 7.52021-03-15
A vulnerability has been identified in RUGGEDCOM RM1224 (V6.3), SCALANCE M-800 (V6.3), SCALANCE S615 (V6.3), SCALANCE SC-600 (All Versions >= V2.1 and < V2.1.3). Multiple failed SSH authentication attempts could trigger a temporary Denial-…
- CVE-2021-27188HIGHCVSS 7.5EG 7.52021-02-12
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 allows attackers to cause a denial of service (access suspended for five hours) by making five invalid login attempts to a victim's account.
- CVE-2021-27514CRITICALCVSS 9.8EG 9.82021-02-22
EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation).
- CVE-2021-27782MEDIUMCVSS 5.4EG 7.52023-01-20
HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.
- CVE-2021-27935HIGHCVSS 7.5EG 7.52021-03-03
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.
- CVE-2021-27943HIGHCVSS 7.5EG 7.52021-08-02
The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the dev…
- CVE-2021-28127HIGHCVSS 7.5EG 7.52021-07-01
An issue was discovered in Stormshield SNS through 4.2.1. A brute-force attack can occur.
- CVE-2021-28248HIGHCVSS 7.5EG 7.52021-03-26
CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords,…
- CVE-2021-28909CRITICALCVSS 9.8EG 9.82021-09-09
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers to access uncontrolled the login service at /webif/SecurityModule in a brute force attack. The password could be weak and default username is known as 'adm…
- CVE-2021-28911CRITICALCVSS 9.8EG 9.82021-09-09
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute…
- CVE-2021-29023MEDIUMCVSS 5.3EG 5.32021-05-17
InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.
- CVE-2021-29648MEDIUMCVSS 5.5EG 5.52021-03-30
An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Format (BTF), which can cause a system cr…
- CVE-2021-29842MEDIUMCVSS 5.3EG 5.32021-09-16
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.
- CVE-2021-29987MEDIUMCVSS 6.5EG 6.52021-08-17
After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into…
- CVE-2021-3138HIGHCVSS 7.5EG 7.52021-01-14
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
- CVE-2021-31646CRITICALCVSS 9.8EG 9.82021-04-26
Gestsup before 3.2.10 allows account takeover through the password recovery functionality (remote). The affected component is the file forgot_pwd.php - it uses a weak algorithm for the generation of password recovery tokens (the PHP unique…
- CVE-2021-32522CRITICALCVSS 9.8EG 9.82021-07-07
Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN …
- CVE-2021-32678LOWCVSS 3.7EG 3.72021-07-12
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteF…
- CVE-2021-32703MEDIUMCVSS 5.3EG 5.32021-07-12
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially val…
- CVE-2021-32705MEDIUMCVSS 5.3EG 5.32021-07-12
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially va…
- CVE-2021-33190MEDIUMCVSS 5.3EG 5.32021-06-08
In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acqu…
- CVE-2021-33209MEDIUMCVSS 5.3EG 5.32021-11-03
An issue was discovered in Fimer Aurora Vision before 2.97.10. The response to a failed login attempt discloses whether the username or password is wrong, helping an attacker to enumerate usernames. This can make a brute-force attack easie…
- CVE-2021-3412HIGHCVSS 7.3EG 7.32021-06-01
It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks.
- CVE-2021-35472HIGHCVSS 8.8EG 8.82021-07-30
An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one…
Map vulnerabilities like CWE-307 to your infrastructure
EchelonGraph correlates every CVE — across CWE-307 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →