CWE-307— Improper Restriction of Excessive Authentication Attempts
539 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-307page 4 of 11
- CVE-2021-36284MEDIUMCVSS 5.7EG 5.72021-09-28
Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive admin password attempt mitigations in order t…
- CVE-2021-36285MEDIUMCVSS 5.7EG 5.72021-09-28
Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive NVMe password attempt mitigations in order to…
- CVE-2021-3663HIGHCVSS 7.5EG 7.52021-07-25
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
- CVE-2021-36750HIGHCVSS 8.1EG 8.12021-12-22
ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names).
- CVE-2021-37934CRITICALCVSS 9.8EG 9.82021-12-10
Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force passwor…
- CVE-2021-38155HIGHCVSS 7.5EG 7.52021-08-06
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and f…
- CVE-2021-38474MEDIUMCVSS 6.3EG 6.32021-10-19
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitatio…
- CVE-2021-38725MEDIUMCVSS 5.3EG 5.32021-09-09
Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php
- CVE-2021-38890HIGHCVSS 7.5EG 7.52021-11-23
IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 209507.
- CVE-2021-40360HIGHCVSS 8.8EG 8.82022-02-09
A vulnerability has been identified in SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions < V15 SP1 Update 7), SIMATIC WinCC V16 (…
- CVE-2021-41171MEDIUMCVSS 5.9EG 5.92021-10-22
eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Coo…
- CVE-2021-41435CRITICALCVSS 9.8EG 9.82021-11-19
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-A…
- CVE-2021-41807HIGHCVSS 7.5EG 9.82022-01-18
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
- CVE-2021-42096MEDIUMCVSS 4.3EG 4.32021-10-21
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.
- CVE-2021-42544HIGHCVSS 7.5EG 7.52021-11-30
Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates g…
- CVE-2021-43298CRITICALCVSS 9.8EG 9.82022-01-25
The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte…
- CVE-2021-43332MEDIUMCVSS 6.5EG 6.52021-11-12
In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack.
- CVE-2021-43958CRITICALCVSS 9.8EG 9.82022-03-16
Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required so…
- CVE-2021-44033MEDIUMCVSS 6.8EG 6.82021-11-19
In Ionic Identity Vault before 5.0.5, the protection mechanism for invalid unlock attempts can be bypassed.
- CVE-2022-0652LOWCVSS 3.3EG 7.82022-03-22
Confd log files contain local users', including root’s, SHA512crypt password hashes with insecure access permissions. This allows a local attacker to attempt off-line brute-force attacks against these password hashes in Sophos UTM before…
- CVE-2022-2166CRITICALCVSS 9.8EG 9.82022-11-16
Improper Restriction of Excessive Authentication Attempts in GitHub repository mastodon/mastodon prior to 4.0.0.
- CVE-2022-22452HIGHCVSS 7.5EG 7.52022-07-14
IBM Security Verify Identity Manager 10.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 224918.
- CVE-2022-22485CRITICALCVSS 9.8EG 9.82022-06-17
In some cases, an unsuccessful attempt to log into IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14.000 does not cause the administrator's invalid sign-on count to be incremented on the IBM Spectrum Protect Server. An attack…
- CVE-2022-22487CRITICALCVSS 9.8EG 9.82022-06-30
An IBM Spectrum Protect storage agent could allow a remote attacker to perform a brute force attack by allowing unlimited attempts to login to the storage agent without locking the administrative ID. A remote attacker could exploit this vu…
- CVE-2022-22496MEDIUMCVSS 6.5EG 6.52022-06-30
While a user account for the IBM Spectrum Protect Server 8.1.0.000 through 8.1.14 is being established, it may be configured to use SESSIONSECURITY=TRANSITIONAL. While in this mode, it may be susceptible to an offline dictionary attack. IB…
- CVE-2022-22553HIGHCVSS 8.1EG 8.12022-01-21
Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that can be exploited from UI and CLI. An adjacent unauthenticated attacker could potentially exploit this vulnerabilit…
- CVE-2022-22561HIGHCVSS 8.1EG 9.82022-04-12
Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.
- CVE-2022-22810CRITICALCVSS 9.8EG 9.82022-02-09
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior),…
- CVE-2022-2321CRITICALCVSS 9.8EG 9.82022-07-05
Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks.
- CVE-2022-23746HIGHCVSS 7.5EG 7.52022-11-30
The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passw…
- CVE-2022-24044HIGHCVSS 7.5EG 7.52022-05-20
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The logi…
- CVE-2022-24402HIGHCVSS 8.8EG 8.82023-10-19
The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive sear…
- CVE-2022-2457CRITICALCVSS 9.8EG 9.82022-08-10
A flaw was found in Red Hat Process Automation Manager 7 where an attacker can benefit from a brute force attack against Administration Console as the application does not limit the number of unsuccessful login attempts.
- CVE-2022-24689MEDIUMCVSS 5.3EG 5.32022-07-18
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected informati…
- CVE-2022-2525CRITICALCVSS 9.8EG 9.82023-04-15
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
- CVE-2022-25820MEDIUMCVSS 4.2EG 4.62022-03-10
A vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password.
- CVE-2022-26314CRITICALCVSS 9.8EG 9.82022-03-08
A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an in…
- CVE-2022-2650CRITICALCVSS 9.8EG 9.82022-11-24
Improper Restriction of Excessive Authentication Attempts in GitHub repository wger-project/wger prior to 2.2.
- CVE-2022-26519MEDIUMCVSS 5.5EG 5.52022-04-20
There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials.
- CVE-2022-26964HIGHCVSS 7.4EG 7.52022-12-26
Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack. An error caused base64 to be decoded.
- CVE-2022-27516MEDIUMCVSS 5.3EG 9.82022-11-08
User login brute force protection functionality bypass
- CVE-2022-2822HIGHCVSS 7.5EG 3.72022-08-15
An attacker can freely brute force username and password and can takeover any account. An attacker could easily guess user passwords and gain access to user and administrative accounts.
- CVE-2022-28384MEDIUMCVSS 5.5EG 5.52022-06-08
An issue was discovered in certain Verbatim drives through 2022-03-31. Due to an insecure design, they allow an offline brute-force attack for determining the correct passcode, and thus gaining unauthorized access to the stored encrypted d…
- CVE-2022-28386MEDIUMCVSS 4.6EG 4.62022-06-08
An issue was discovered in certain Verbatim drives through 2022-03-31. The security feature for lockout (e.g., requiring a reformat of the drive after 20 failed unlock attempts) does not work as specified. More than 20 attempts may be made…
- CVE-2022-29056LOWCVSS 3.7EG 5.32023-03-09
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0 through 6.2.4 and before 6.0.9 allows a remote unauthenticated attacker to partially exhaust CPU and me…
- CVE-2022-29084HIGHCVSS 8.1EG 9.82022-06-02
Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 do not restrict excessive authentication attempts in Unisphere GUI. A remote unauthenticated attacker may potentially exploit this vulnerability to brute-force pass…
- CVE-2022-30076MEDIUMCVSS 5.3EG 5.32023-04-16
ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting.
- CVE-2022-30235HIGHCVSS 8.6EG 9.82022-06-02
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow unauthorized access when an attacker uses brute force. Affected Products: Wiser Smart, EER21000 & EER21001 (V4.5 and prior)
- CVE-2022-30305LOWCVSS 3.7EG 7.52022-12-06
An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2…
- CVE-2022-3031LOWCVSS 3.7EG 7.52022-10-17
An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password …
Map vulnerabilities like CWE-307 to your infrastructure
EchelonGraph correlates every CVE — across CWE-307 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →