Vulnerabilities (CVE)

Filtered by CWE-307
Total 362 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-6524 1 Moxa 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Moxa IKS and EDS do not implement sufficient measures to prevent multiple failed authentication attempts, which may allow an attacker to discover passwords via brute force attack.
CVE-2019-1126 1 Microsoft 3 Windows Server 2012, Windows Server 2016, Windows Server 2019 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka 'ADFS Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0975.
CVE-2018-19548 1 Rudrasoftech 1 Edusec 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
index.php?r=site%2Flogin in EduSec through 4.2.6 does not restrict sending a series of LoginForm[username] and LoginForm[password] parameters, which might make it easier for remote attackers to obtain access via a brute-force approach.
CVE-2018-11082 1 Pivotal Software 2 Cloudfoundry Uaa, Cloudfoundry Uaa Release 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user.
CVE-2018-19021 1 Emerson 1 Deltav 2024-02-28 3.3 LOW 6.5 MEDIUM
A specially crafted script could bypass the authentication of a maintenance port of Emerson DeltaV DCS Versions 11.3.1, 11.3.2, 12.3.1, 13.3.1, 14.3, R5.1, R6 and prior, which may allow an attacker to cause a denial of service.
CVE-2018-16703 1 Gleeztech 1 Gleez Cms 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side access control and login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Portal login page. An exploit could allow the attacker to identify existing users and perform brute-force password attacks on the Portal, as demonstrated by navigating to the user/4 URI.
CVE-2018-15759 1 Pivotal Software 2 Broker Api, On Demand Services Sdk 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
CVE-2018-14657 1 Redhat 3 Keycloak, Linux, Single Sign-on 2024-02-28 4.3 MEDIUM 8.1 HIGH
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
CVE-2018-1373 1 Ibm 1 Security Guardium Big Data Intelligence 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 137773.
CVE-2018-1475 1 Ibm 1 Bigfix Platform 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
IBM BigFix Platform 9.2 and 9.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 140756.
CVE-2018-12649 1 Misp 1 Misp 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. An adversary can bypass the brute-force protection by using a PUT HTTP method instead of a POST HTTP method in the login part, because this protection was only covering POST requests.
CVE-2018-12993 1 Onefilecms 1 Onefilecms 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to conduct brute-force attacks via the onefilecms_username and onefilecms_password fields.
CVE-2018-5469 1 Belden 134 Hirschmann M1-8mm-sc, Hirschmann M1-8sfp, Hirschmann M1-8sm-sc and 131 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
An Improper Restriction of Excessive Authentication Attempts issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An improper restriction of excessive authentication vulnerability in the web interface has been identified, which may allow an attacker to brute force authentication.
CVE-2017-7898 1 Rockwellautomation 21 1763-l16awa Series A, 1763-l16awa Series B, 1763-l16bbb Series A and 18 more 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
An Improper Restriction of Excessive Authentication Attempts issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers 1763-L16AWA, Series A and B, Version 16.00 and prior versions; 1763-L16BBB, Series A and B, Version 16.00 and prior versions; 1763-L16BWA, Series A and B, Version 16.00 and prior versions; and 1763-L16DWD, Series A and B, Version 16.00 and prior versions and Allen-Bradley MicroLogix 1400 programmable logic controllers 1766-L32AWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWA, Series A and B, Version 16.00 and prior versions; 1766-L32BWAA, Series A and B, Version 16.00 and prior versions; 1766-L32BXB, Series A and B, Version 16.00 and prior versions; 1766-L32BXBA, Series A and B, Version 16.00 and prior versions; and 1766-L32AWAA, Series A and B, Version 16.00 and prior versions. There are no penalties for repeatedly entering incorrect passwords.
CVE-2017-11187 1 Phpmyfaq 1 Phpmyfaq 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks that try many passwords in attempted logins quickly.
CVE-2017-1197 1 Ibm 1 Bigfix Security Compliance Analytics 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 123672.
CVE-2017-10604 1 Juniper 2 Junos, Srx 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
When the device is configured to perform account lockout with a defined period of time, any unauthenticated user attempting to log in as root with an incorrect password can trigger a lockout of the root account. When an SRX Series device is in cluster mode, and a cluster sync or failover operation occurs, then there will be errors associated with synch or failover while the root account is locked out. Administrators can confirm if the root account is locked out via the following command root@device> show system login lockout user root User Lockout start Lockout end root 1995-01-01 01:00:01 PDT 1995-11-01 01:31:01 PDT Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D65 on SRX series; 12.3X48 prior to 12.3X48-D45 on SRX series; 15.1X49 prior to 15.1X49-D75 on SRX series.
CVE-2017-7915 1 Moxa 12 Oncell 5004-hspa, Oncell 5004-hspa Firmware, Oncell 5104-hsdpa and 9 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
An Improper Restriction of Excessive Authentication Attempts issue was discovered in Moxa OnCell G3110-HSPA Version 1.3 build 15082117 and previous versions, OnCell G3110-HSDPA Version 1.2 Build 09123015 and previous versions, OnCell G3150-HSDPA Version 1.4 Build 11051315 and previous versions, OnCell 5104-HSDPA, OnCell 5104-HSPA, and OnCell 5004-HSPA. An attacker can freely use brute force to determine parameters needed to bypass authentication.
CVE-2017-12316 1 Cisco 1 Identity Services Engine Software 2024-02-28 5.0 MEDIUM 7.5 HIGH
A vulnerability in the Guest Portal login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to perform multiple login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-side login attempt limit enforcement. An attacker could exploit this vulnerability by sending modified login attempts to the Guest Portal login page. An exploit could allow the attacker to perform brute-force password attacks on the ISE Guest Portal. Cisco Bug IDs: CSCve98518.
CVE-2017-7673 1 Apache 1 Openmeetings 2024-02-28 5.0 MEDIUM 9.8 CRITICAL
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.