Total
291 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-35925 | 1 Joinbookwyrm | 1 Bookwyrm | 2024-02-04 | N/A | 9.8 CRITICAL |
| BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their `nginx.conf` file that was created when the instance was set up. Users are advised advised to upgrade. Users unable to upgrade may update their nginx.conf files with the changes manually. | |||||
| CVE-2022-33106 | 1 Wijungle | 2 U250, U250 Firmware | 2024-02-04 | N/A | 9.8 CRITICAL |
| WiJungle NGFW Version U250 was discovered to be vulnerable to No Rate Limit attack, allowing the attacker to brute force the admin password leading to Account Take Over. | |||||
| CVE-2022-39314 | 1 Getkirby | 1 Kirby | 2024-02-04 | N/A | 3.7 LOW |
| Kirby is a flat-file CMS. In versions prior to 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, Kirby is subject to user enumeration due to Improper Restriction of Excessive Authentication Attempts. This vulnerability affects you only if you are using the `code` or `password-reset` auth method with the `auth.methods` option or if you have enabled the `debug` option in production. By using two or more IP addresses and multiple login attempts, valid user accounts will lock, but invalid accounts will not, leading to account enumeration. This issue has been patched in versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1. If you cannot update immediately, you can work around the issue by setting the `auth.methods` option to `password`, which disables the code-based login and password reset forms. | |||||
| CVE-2022-37145 | 1 Plextrac | 1 Plextrac | 2024-02-04 | N/A | 7.5 HIGH |
| The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an attempt to obtain valid credentials for the platform users configured to use the PlexTrac authentication provider. | |||||
| CVE-2022-2321 | 1 Heroiclabs | 1 Nakama | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper Restriction of Excessive Authentication Attempts in GitHub repository heroiclabs/nakama prior to 3.13.0. This results in login brute-force attacks. | |||||
| CVE-2022-3741 | 1 Chatwoot | 1 Chatwoot | 2024-02-04 | N/A | 9.8 CRITICAL |
| Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise. | |||||
| CVE-2022-4006 | 1 Wbce | 1 Wbce Cms | 2024-02-04 | N/A | 7.5 HIGH |
| A vulnerability, which was classified as problematic, has been found in WBCE CMS. Affected by this issue is the function increase_attempts of the file wbce/framework/class.login.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The name of the patch is d394ba39a7bfeb31eda797b6195fd90ef74b2e75. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-213716. | |||||
| CVE-2022-2457 | 1 Redhat | 1 Process Automation Manager | 2024-02-04 | N/A | 9.8 CRITICAL |
| A flaw was found in Red Hat Process Automation Manager 7 where an attacker can benefit from a brute force attack against Administration Console as the application does not limit the number of unsuccessful login attempts. | |||||
| CVE-2022-35846 | 1 Fortinet | 1 Fortitester | 2024-02-04 | N/A | 9.8 CRITICAL |
| An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiTester Telnet port 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to guess the credentials of an admin user via a brute force attack. | |||||
| CVE-2022-31228 | 1 Dell | 3 Xtremio Management Server, Xtremio X1, Xtremio X2 | 2024-02-04 | N/A | 9.8 CRITICAL |
| Dell EMC XtremIO versions prior to X2 6.4.0-22 contain a bruteforce vulnerability. A remote unauthenticated attacker can potentially exploit this vulnerability and gain access to an admin account. | |||||
| CVE-2022-35932 | 1 Nextcloud | 1 Talk | 2024-02-04 | N/A | 5.3 MEDIUM |
| Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently no known workarounds available apart from not having password protected conversations. | |||||
| CVE-2022-24689 | 1 Dsk | 1 Dsknet | 2024-02-04 | N/A | 5.3 MEDIUM |
| An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. It mishandles access control. This allows a remote attacker to access account information pages (including personal data) without being authenticated. The collected information includes the badge numbers that operate as user login names. They have a PIN code. The PIN code is 4 digits and thus can be guessed in 10000 brute force attempts. | |||||
| CVE-2021-22640 | 1 Ovarro | 15 Tbox Lt2-530, Tbox Lt2-530 Firmware, Tbox Lt2-532 and 12 more | 2024-02-04 | N/A | 9.8 CRITICAL |
| An attacker can decrypt the Ovarro TBox login password by communication capture and brute force attacks. | |||||
| CVE-2022-27516 | 1 Citrix | 3 Application Delivery Controller, Application Delivery Controller Firmware, Gateway | 2024-02-04 | N/A | 9.8 CRITICAL |
| User login brute force protection functionality bypass | |||||
| CVE-2022-22810 | 1 Schneider-electric | 6 Fellerlynk, Fellerlynk Firmware, Spacelynk and 3 more | 2024-02-04 | 5.0 MEDIUM | 9.8 CRITICAL |
| A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior) | |||||
| CVE-2022-25820 | 1 Google | 1 Android | 2024-02-04 | 2.1 LOW | 4.6 MEDIUM |
| A vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password. | |||||
| CVE-2022-26519 | 1 Carrier | 2 Hills Comnav, Hills Comnav Firmware | 2024-02-04 | 2.1 LOW | 5.5 MEDIUM |
| There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials. | |||||
| CVE-2022-24044 | 1 Siemens | 8 Desigo Dxr2, Desigo Dxr2 Firmware, Desigo Pxc3 and 5 more | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account. | |||||
| CVE-2022-29084 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Dell Unity, Dell UnityVSA, and Dell Unity XT versions before 5.2.0.0.5.173 do not restrict excessive authentication attempts in Unisphere GUI. A remote unauthenticated attacker may potentially exploit this vulnerability to brute-force passwords and gain access to the system as the victim. Account takeover is possible if weak passwords are used by users. | |||||
| CVE-2021-43958 | 1 Atlassian | 2 Crucible, Fisheye | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. | |||||