Total
349 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-35590 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2020-12-22 | 5.0 MEDIUM | 9.8 CRITICAL |
| LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does not ever reach the maximum allowed retries. | |||||
| CVE-2020-28206 | 1 Bitrix24 | 1 Bitrix Framework | 2020-12-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group. | |||||
| CVE-2020-27423 | 1 Anuko | 1 Time Tracker | 2020-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox | |||||
| CVE-2020-29042 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-11-29 | 4.3 MEDIUM | 3.7 LOW |
| An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. | |||||
| CVE-2020-15906 | 1 Tiki | 1 Tiki | 2020-11-03 | 7.5 HIGH | 9.8 CRITICAL |
| tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. | |||||
| CVE-2020-5141 | 1 Sonicwall | 2 Sonicos, Sonicosv | 2020-10-23 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0. | |||||
| CVE-2019-17240 | 1 Bludit | 1 Bludit | 2020-10-21 | 4.3 MEDIUM | 9.8 CRITICAL |
| bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers. | |||||
| CVE-2020-8228 | 2 Nextcloud, Opensuse | 3 Preferred Providers, Backports Sle, Leap | 2020-10-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| A missing rate limit in the Preferred Providers app 1.7.0 allowed an attacker to set the password an uncontrolled amount of times. | |||||
| CVE-2019-6524 | 1 Moxa | 8 Eds-405a, Eds-405a Firmware, Eds-408a and 5 more | 2020-10-19 | 5.0 MEDIUM | 9.8 CRITICAL |
| Moxa IKS and EDS do not implement sufficient measures to prevent multiple failed authentication attempts, which may allow an attacker to discover passwords via brute force attack. | |||||
| CVE-2019-5421 | 1 Plataformatec | 1 Devise | 2020-10-16 | 7.5 HIGH | 9.8 CRITICAL |
| Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later. | |||||
| CVE-2020-7525 | 1 Schneider-electric | 4 Spacelynk, Spacelynk Firmware, Wiser For Knx and 1 more | 2020-09-04 | 5.0 MEDIUM | 7.5 HIGH |
| Improper Restriction of Excessive Authentication Attempts vulnerability exists in all hardware versions of spaceLYnk and Wiser for KNX (formerly homeLYnk) which could allow an attacker to guess a password when brute force is used. | |||||
| CVE-2020-24007 | 1 Umanni | 1 Human Resources | 2020-09-01 | 7.5 HIGH | 9.8 CRITICAL |
| Umanni RH 1.0 does not limit the number of authentication attempts. An unauthenticated user may exploit this vulnerability to launch a brute-force authentication attack against the Login page. | |||||
| CVE-2020-13617 | 1 Mitel | 22 6863, 6863 Firmware, 6865 and 19 more | 2020-09-01 | 5.0 MEDIUM | 7.5 HIGH |
| The Web UI component of Mitel MiVoice 6800 and 6900 series SIP Phones with firmware before 5.1.0.SP5 could allow an unauthenticated attacker to expose sensitive information due to improper memory handling during failed login attempts. | |||||
| CVE-2019-14299 | 1 Ricoh | 8 Sp C250dn, Sp C250dn Firmware, Sp C250sf and 5 more | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| Ricoh SP C250DN 1.05 devices have an Authentication Method Vulnerable to Brute Force Attacks. Some Ricoh printers did not implement account lockout. Therefore, it was possible to obtain the local account credentials by brute force. | |||||
| CVE-2019-5217 | 1 Huawei | 2 Mate 9 Pro, Mate 9 Pro Firmware | 2020-08-24 | 2.1 LOW | 4.6 MEDIUM |
| There is an information disclosure vulnerability on Mate 9 Pro Huawei smartphones versions earlier than LON-AL00B9.0.1.150 (C00E61R1P8T8). An attacker could view the photos after a series of operations without unlocking the screen lock. Successful exploit could cause an information disclosure condition. | |||||
| CVE-2019-1126 | 1 Microsoft | 3 Windows Server 2012, Windows Server 2016, Windows Server 2019 | 2020-08-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka 'ADFS Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0975. | |||||
| CVE-2018-19548 | 1 Rudrasoftech | 1 Edusec | 2020-08-24 | 5.0 MEDIUM | 9.8 CRITICAL |
| index.php?r=site%2Flogin in EduSec through 4.2.6 does not restrict sending a series of LoginForm[username] and LoginForm[password] parameters, which might make it easier for remote attackers to obtain access via a brute-force approach. | |||||
| CVE-2019-14951 | 1 Telenav | 1 Scout Gps Link | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| The Telenav Scout GPS Link app 1.x for iOS, as used with Toyota and Lexus vehicles, has an incorrect protection mechanism against brute-force attacks on the authentication process, which makes it easier for attackers to obtain multimedia-screen access via port 7050 on the cellular network, as demonstrated by a DrivingRestriction method call to uma/jsonrpc/mobile. | |||||
| CVE-2019-5263 | 1 Huawei | 2 Hisuite, Hwbackup | 2020-08-24 | 2.1 LOW | 5.5 MEDIUM |
| HiSuite with 9.1.0.305 and earlier versions and 9.1.0.305(MAC) and earlier versions and HwBackup with earlier versions before 9.1.1.308 have a brute forcing encrypted backup data vulnerability. Huawei smartphone user backup information can be obtained by brute forcing the password for encrypting the backup. | |||||
| CVE-2019-14351 | 1 Espocrm | 1 Espocrm | 2020-08-24 | 4.0 MEDIUM | 8.8 HIGH |
| EspoCRM 5.6.4 is vulnerable to user password hash enumeration. A malicious authenticated attacker can brute-force a user password hash by 1 symbol at a time using specially crafted api/v1/User?filterList filters. | |||||