Total
362 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0787 | 1 Phpipam | 1 Phpipam | 2024-11-19 | N/A | 5.9 MEDIUM |
| phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0. | |||||
| CVE-2022-2525 | 1 Janeczku | 1 Calibre-web | 2024-11-19 | N/A | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20. | |||||
| CVE-2024-9832 | 2024-11-15 | N/A | 9.3 CRITICAL | ||
| There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure. | |||||
| CVE-2024-51720 | 2024-11-13 | N/A | 4.8 MEDIUM | ||
| An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number. | |||||
| CVE-2024-11126 | 2024-11-12 | 1.8 LOW | 3.1 LOW | ||
| A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-47592 | 2024-11-12 | N/A | 5.3 MEDIUM | ||
| SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability. | |||||
| CVE-2024-51558 | 1 63moons | 2 Aero, Wave 2.0 | 2024-11-08 | N/A | 9.8 CRITICAL |
| This vulnerability exists in the Wave 2.0 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user OTP, MPIN or password, which could lead to gain unauthorized access and compromise other user accounts. | |||||
| CVE-2024-3102 | 1 Mintplexlabs | 1 Anythingllm | 2024-11-03 | N/A | 5.3 MEDIUM |
| A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks without prior knowledge of the username. Once the password is known, attackers can conduct blind attacks to ascertain the full username, significantly compromising system security. | |||||
| CVE-2024-28022 | 1 Hitachienergy | 2 Foxman-un, Unem | 2024-10-30 | N/A | 6.5 MEDIUM |
| A vulnerability exists in the UNEM server / APIGateway that if exploited allows a malicious user to perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to other components in the same security realm using the targeted account. | |||||
| CVE-2024-48143 | 2024-10-25 | N/A | 9.1 CRITICAL | ||
| A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders. | |||||
| CVE-2024-47656 | 1 Shilpisoft | 1 Client Dashboard | 2024-10-16 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Shilpi Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on password, which could lead to gain unauthorized access to other user accounts. | |||||
| CVE-2024-7292 | 1 Progress | 1 Telerik Report Server | 2024-10-15 | N/A | 8.8 HIGH |
| In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts. | |||||
| CVE-2021-43958 | 1 Atlassian | 2 Crucible, Fisheye | 2024-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. | |||||
| CVE-2024-41276 | 2024-10-04 | N/A | 9.8 CRITICAL | ||
| A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application. | |||||
| CVE-2024-47088 | 1 Apexsoftcell | 2 Ld Dp Back Office, Ld Geo | 2024-09-26 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Apex Softcell LD Geo due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on login OTP, which could lead to gain unauthorized access to other user accounts. | |||||
| CVE-2024-32771 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-20 | N/A | 2.4 LOW |
| An improper restriction of excessive authentication attempts vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow local network authenticated administrators to perform an arbitrary number of authentication attempts via unspecified vectors. QuTScloud is not affected. We have already fixed the vulnerability in the following versions: QTS 5.2.0.2782 build 20240601 and later QuTS hero h5.2.0.2782 build 20240601 and later | |||||
| CVE-2024-45523 | 2024-09-20 | N/A | 9.1 CRITICAL | ||
| An issue was discovered in Bravura Security Fabric versions 12.3.x before 12.3.5.32784, 12.4.x before 12.4.3.35110, 12.5.x before 12.5.2.35950, 12.6.x before 12.6.2.37183, and 12.7.x before 12.7.1.38241. An unauthenticated attacker can cause a resource leak by issuing multiple failed login attempts through API SOAP. | |||||
| CVE-2024-5682 | 2024-09-20 | N/A | 6.5 MEDIUM | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System allows Interface Manipulation.This issue affects Yordam Library Automation System: before 20.1. | |||||
| CVE-2024-43042 | 1 Pluck-cms | 1 Pluck | 2024-09-19 | N/A | 9.8 CRITICAL |
| Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack. | |||||
| CVE-2024-45790 | 1 Reedos | 1 Aim-star | 2024-09-18 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user passwords, which could lead to gain unauthorized access and compromise other user accounts. | |||||