Vulnerabilities > Improper Restriction of Excessive Authentication Attempts

DATE CVE VULNERABILITY TITLE RISK
2020-12-23 CVE-2020-35586 Improper Restriction of Excessive Authentication Attempts vulnerability in Mersive Solstice POD Firmware
In Solstice Pod before 3.3.0 (or Open4.3), the Administrator password can be enumerated using brute-force attacks via the /Config/service/initModel?password= Solstice Open Control API because there is no complexity requirement (e.g., it might be all digits or all lowercase letters).
network
low complexity
mersive CWE-307
5.0
2020-12-23 CVE-2020-35585 Improper Restriction of Excessive Authentication Attempts vulnerability in Mersive Solstice POD Firmware
In Solstice Pod before 3.3.0 (or Open4.3), the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities.
network
low complexity
mersive CWE-307
5.0
2020-12-23 CVE-2020-25196 Improper Restriction of Excessive Authentication Attempts vulnerability in Moxa Nport Iaw5000A-I/O Firmware
The built-in WEB server for MOXA NPort IAW5000A-I/O firmware version 2.1 or lower allows SSH/Telnet sessions, which may be vulnerable to brute force attacks to bypass authentication.
network
low complexity
moxa CWE-307
5.0
2020-12-21 CVE-2020-35590 Improper Restriction of Excessive Authentication Attempts vulnerability in Limitloginattempts Limit Login Attempts Reloaded
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged.
network
low complexity
limitloginattempts CWE-307
5.0
2020-12-02 CVE-2020-28206 Improper Restriction of Excessive Authentication Attempts vulnerability in Bitrix24 Bitrix Framework 20.0
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0.
network
low complexity
bitrix24 CWE-307
4.0
2020-11-27 CVE-2020-29136 Improper Restriction of Excessive Authentication Attempts vulnerability in Cpanel
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
network
low complexity
cpanel CWE-307
4.0
2020-11-26 CVE-2020-29042 Improper Restriction of Excessive Authentication Attempts vulnerability in Bigbluebutton
An issue was discovered in BigBlueButton through 2.2.29.
4.3
2020-11-19 CVE-2020-28212 Improper Restriction of Excessive Authentication Attempts vulnerability in Schneider-Electric Ecostruxure Control Expert
A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.
network
low complexity
schneider-electric CWE-307
7.5
2020-11-16 CVE-2020-27423 Improper Restriction of Excessive Authentication Attempts vulnerability in Anuko Time Tracker 1.19.23.5311
Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox
network
low complexity
anuko CWE-307
5.0
2020-10-22 CVE-2020-15906 Improper Restriction of Excessive Authentication Attempts vulnerability in Tiki
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
network
low complexity
tiki CWE-307
7.5