Total
218 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-15577 | 1 Gitlab | 1 Gitlab | 2021-11-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing. | |||||
| CVE-2021-41171 | 1 Elabftw | 1 Elabftw | 2021-10-28 | 4.0 MEDIUM | 8.8 HIGH |
| eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading. | |||||
| CVE-2019-0039 | 1 Juniper | 1 Junos | 2021-10-25 | 4.3 MEDIUM | 8.1 HIGH |
| If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1. | |||||
| CVE-2021-38474 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2021-10-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface. | |||||
| CVE-2021-36285 | 1 Dell | 42 Latitude 5310 2-in-1, Latitude 5310 2-in-1 Firmware, Latitude 5320 and 39 more | 2021-10-04 | 2.1 LOW | 4.4 MEDIUM |
| Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive NVMe password attempt mitigations in order to carry out a brute force attack. | |||||
| CVE-2021-36284 | 1 Dell | 42 Latitude 5310 2-in-1, Latitude 5310 2-in-1 Firmware, Latitude 5320 and 39 more | 2021-10-04 | 2.1 LOW | 4.4 MEDIUM |
| Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive admin password attempt mitigations in order to carry out a brute force attack. | |||||
| CVE-2021-29842 | 1 Ibm | 1 Websphere Application Server | 2021-09-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202. | |||||
| CVE-2021-28909 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2021-09-21 | 5.0 MEDIUM | 9.8 CRITICAL |
| BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers to access uncontrolled the login service at /webif/SecurityModule in a brute force attack. The password could be weak and default username is known as 'admin'. This is usable and part of an attack chain to gain SSH root access. | |||||
| CVE-2021-28911 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2021-09-20 | 10.0 HIGH | 9.8 CRITICAL |
| BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access. | |||||
| CVE-2021-38725 | 1 Thedaylightstudio | 1 Fuel Cms | 2021-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php | |||||
| CVE-2021-22915 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2021-09-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection. | |||||
| CVE-2021-32522 | 1 Qsan | 3 Sanos, Storage Manager, Xevo | 2021-09-20 | 5.0 MEDIUM | 9.8 CRITICAL |
| Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN Document. | |||||
| CVE-2021-22003 | 2 Linux, Vmware | 5 Linux Kernel, Cloud Foundation, Identity Manager and 2 more | 2021-09-09 | 5.0 MEDIUM | 7.5 HIGH |
| VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may not be practical based on lockout policy configuration and password complexity for the target account. | |||||
| CVE-2021-20427 | 2 Ibm, Linux | 2 Security Guardium, Linux Kernel | 2021-08-19 | 5.0 MEDIUM | 7.5 HIGH |
| IBM Security Guardium 11.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 196314. | |||||
| CVE-2021-38155 | 1 Openstack | 1 Keystone | 2021-08-18 | 5.0 MEDIUM | 7.5 HIGH |
| OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. | |||||
| CVE-2021-35472 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2021-08-11 | 6.0 MEDIUM | 8.8 HIGH |
| An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users. | |||||
| CVE-2021-27943 | 1 Vizio | 4 E50x-e1, E50x-e1 Firmware, P65-f1 and 1 more | 2021-08-11 | 5.0 MEDIUM | 7.5 HIGH |
| The pairing procedure used by the Vizio P65-F1 6.0.31.4-2 and E50x-E1 10.0.31.4-2 Smart TVs and mobile application is vulnerable to a brute-force attack (against only 10000 possibilities), allowing a threat actor to forcefully pair the device, leading to remote control of the TV settings and configurations. | |||||
| CVE-2021-3663 | 1 Firefly-iii | 1 Firefly Iii | 2021-08-04 | 5.0 MEDIUM | 7.5 HIGH |
| firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts | |||||
| CVE-2020-23283 | 1 Mv | 1 Mconnect | 2021-08-02 | 5.0 MEDIUM | 7.5 HIGH |
| Information disclosure in Logon Page in MV's mConnect application v02.001.00 allows an attacker to know valid users from the application's database via brute force. | |||||
| CVE-2020-8790 | 1 Oklok Project | 1 Oklok | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could allow a remote attacker to discover user credentials and obtain access via a brute force attack. | |||||