Total
414 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11082 | 1 Pivotal Software | 2 Cloudfoundry Uaa, Cloudfoundry Uaa Release | 2024-11-21 | N/A |
| Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundry UAA Release, all versions prior to 61.0, allows brute forcing of MFA codes. A remote unauthenticated malicious user in possession of a valid username and password can brute force MFA to login as the targeted user. | ||||
| CVE-2017-16900 | 1 Hunesion | 1 I-onenet | 2024-11-21 | 5.5 Medium |
| Incorrect Access Control in Hunesion i-oneNet 3.0.6042.1200 allows the local user to access other user's information which is unauthorized via brute force. | ||||
| CVE-2015-20110 | 1 Jhipster | 1 Jhipster | 2024-11-21 | 7.5 High |
| JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters. | ||||
| CVE-2014-2875 | 1 Keplerproject | 1 Cgilua | 2024-11-21 | 6.1 Medium |
| The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10399 and CVE-2014-10400 were SPLIT from this ID. | ||||
| CVE-2013-4441 | 1 Pwgen Project | 1 Pwgen | 2024-11-21 | 9.8 Critical |
| The Phonemes mode in Pwgen 2.06 generates predictable passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack. | ||||
| CVE-2013-2257 | 1 Cryptocat Project | 1 Cryptocat | 2024-11-21 | 7.5 High |
| Cryptocat before 2.0.42 has Group Chat ECC Private Key Generation Brute Force Weakness | ||||
| CVE-2013-2228 | 1 Saltstack | 1 Saltstack | 2024-11-21 | 8.1 High |
| SaltStack RSA Key Generation allows remote users to decrypt communications | ||||
| CVE-2013-1895 | 2 Fedoraproject, Python | 2 Fedora, Py-bcrypt | 2024-11-21 | 7.5 High |
| The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the password hash to be overwritten. | ||||
| CVE-2009-5140 | 1 Linksys | 2 Spa2102, Spa2102 Firmware | 2024-11-21 | 8.8 High |
| The SIP implementation on the Linksys SPA2102 phone adapter provides hashed credentials in a response to an invalid authentication challenge, which makes it easier for remote attackers to obtain access via a brute-force attack, related to a "SIP Digest Leak" issue. | ||||
| CVE-2024-0787 | 1 Phpipam | 1 Phpipam | 2024-11-19 | 5.3 Medium |
| phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0. | ||||
| CVE-2024-9832 | 1 Baxter | 1 Life2000 Ventilator Firmware | 2024-11-18 | 9.3 Critical |
| There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. An attacker could execute a brute-force attack to gain unauthorized access to the ventilator, and then make changes to device settings that could disrupt the function of the device and/or result in unauthorized information disclosure. | ||||
| CVE-2024-51720 | 2024-11-13 | 4.8 Medium | ||
| An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number. | ||||
| CVE-2024-11126 | 2024-11-12 | 3.1 Low | ||
| A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-47592 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-12 | 5.3 Medium |
| SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability. | ||||
| CVE-2024-51558 | 2 63moons, Brokeragetechnologysolutions | 3 Aero, Wave 2.0, Wave 2.0 | 2024-11-08 | 9.8 Critical |
| This vulnerability exists in the Wave 2.0 due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user OTP, MPIN or password, which could lead to gain unauthorized access and compromise other user accounts. | ||||
| CVE-2024-48143 | 1 Digitory | 1 Multi-channel Integrated Pos | 2024-10-25 | 9.1 Critical |
| A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders. | ||||
| CVE-2024-47656 | 1 Shilpisoft | 1 Client Dashboard | 2024-10-16 | 9.8 Critical |
| This vulnerability exists in Shilpi Client Dashboard due to missing restrictions for incorrect login attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on password, which could lead to gain unauthorized access to other user accounts. | ||||
| CVE-2024-7292 | 2 Progress, Progress Software | 2 Telerik Report Server, Telerik Report Server | 2024-10-16 | 7.5 High |
| In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a credential stuffing attack is possible through improper restriction of excessive login attempts. | ||||
| CVE-2024-41276 | 1 Kaiten | 1 Kaiten | 2024-10-04 | 9.8 Critical |
| A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application. | ||||
| CVE-2024-47088 | 1 Apexsoftcell | 2 Ld Dp Back Office, Ld Geo | 2024-09-26 | 9.8 Critical |
| This vulnerability exists in Apex Softcell LD Geo due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on login OTP, which could lead to gain unauthorized access to other user accounts. | ||||