Total
291 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-25676 | 1 Siemens | 8 Ruggedcom Rm1224, Ruggedcom Rm1224 Firmware, Scalance M-800 and 5 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability has been identified in RUGGEDCOM RM1224 (V6.3), SCALANCE M-800 (V6.3), SCALANCE S615 (V6.3), SCALANCE SC-600 (All Versions >= V2.1 and < V2.1.3). Multiple failed SSH authentication attempts could trigger a temporary Denial-of-Service under certain conditions. When triggered, the device will reboot automatically. | |||||
CVE-2020-28212 | 1 Schneider-electric | 1 Ecostruxure Control Expert | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus. | |||||
CVE-2019-18235 | 1 Advantech | 2 Spectre Rt Ert351, Spectre Rt Ert351 Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Advantech Spectre RT ERT351 Versions 5.1.3 and prior has insufficient login authentication parameters required for the web application may allow an attacker to gain full access using a brute-force password attack. | |||||
CVE-2020-35565 | 1 Mbconnectline | 2 Mbconnect24, Mymbconnect24 | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default. | |||||
CVE-2020-25827 | 2 Fedoraproject, Mediawiki | 2 Fedora, Mediawiki | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently. | |||||
CVE-2020-6875 | 1 Zte | 2 Zxone 19700 Snpe, Zxone 19700 Snpe Firmware | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
A ZTE product is impacted by the improper access control vulnerability. Due to lack of an authentication protection mechanism in the program, attackers could use this vulnerability to gain access right through brute-force attacks. This affects: <ZXONE 19700 SNPE><ZXONE8700V1.40R2B13_SNPE> | |||||
CVE-2020-15906 | 1 Tiki | 1 Tiki | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. | |||||
CVE-2021-25309 | 1 Gigaset | 2 Dx600a, Dx600a Firmware | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks. | |||||
CVE-2020-5141 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2024-02-04 | 6.4 MEDIUM | 6.5 MEDIUM |
A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0. | |||||
CVE-2021-27514 | 1 Eyesofnetwork | 1 Eyesofnetwork | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation). | |||||
CVE-2020-29136 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575). | |||||
CVE-2020-35585 | 1 Mersive | 2 Solstice Pod, Solstice Pod Firmware | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities. | |||||
CVE-2020-35590 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries. | |||||
CVE-2021-27188 | 1 Xn--b1agzlht | 1 Fx Aggregator Terminal Client | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
The Sovremennye Delovye Tekhnologii FX Aggregator terminal client 1 allows attackers to cause a denial of service (access suspended for five hours) by making five invalid login attempts to a victim's account. | |||||
CVE-2021-3138 | 1 Discourse | 1 Discourse | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. | |||||
CVE-2020-27423 | 1 Anuko | 1 Time Tracker | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox | |||||
CVE-2020-11052 | 1 Sorcery Project | 1 Sorcery | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
In Sorcery before 0.15.0, there is a brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired, protection will not be re-enabled until a user or malicious actor logs in successfully. This does not affect users that do not use the built-in brute force protection submodule, nor users that use permanent account lockout. This has been patched in 0.15.0. | |||||
CVE-2020-15786 | 1 Siemens | 8 Simatic Hmi Basic Panels 2nd Generation, Simatic Hmi Basic Panels 2nd Generation Firmware, Simatic Hmi Comfort Panels and 5 more | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
A vulnerability has been identified in SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants) (All versions < V16), SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (All versions <= V16), SIMATIC HMI Mobile Panels (All versions <= V16), SIMATIC HMI Unified Comfort Panels (All versions <= V16). Affected devices insufficiently block excessive authentication attempts. This could allow a remote attacker to discover user passwords and obtain access to the Sm@rt Server via a brute-force attack. | |||||
CVE-2019-17525 | 1 Dlink | 2 Dir-615, Dir-615 Firmware | 2024-02-04 | 4.0 MEDIUM | 8.8 HIGH |
The login page on D-Link DIR-615 T1 20.10 devices allows remote attackers to bypass the CAPTCHA protection mechanism and conduct brute-force attacks. | |||||
CVE-2019-13394 | 1 Netgear | 2 Cg3700b, Cg3700b Firmware | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP. |