Vulnerabilities > CVE-2021-29023 - Improper Restriction of Excessive Authentication Attempts vulnerability in Invoiceplane 1.5.11
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://github.com/InvoicePlane/InvoicePlane/pull/767
- https://github.com/InvoicePlane/InvoicePlane/pull/767
- https://notnnor.github.io/research/2021/03/16/weak-password-recovery-mechanism-in-invoiceplane.html
- https://notnnor.github.io/research/2021/03/16/weak-password-recovery-mechanism-in-invoiceplane.html