Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

903 vulnerabilities reference this CWE, most recent first.

CVE-2023-21709 (GCVE-0-2023-21709)

Vulnerability from cvelistv5 – Published: 2023-08-08 17:08 – Updated: 2025-02-27 21:07
VLAI
Title
Microsoft Exchange Server Elevation of Privilege Vulnerability
Summary
Microsoft Exchange Server Elevation of Privilege Vulnerability
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Date Public
2023-08-08 07:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T09:44:02.165Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-21709",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T21:51:01.605859Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T21:07:14.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 12",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1118.037",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2016 Cumulative Update 23",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.01.2507.032",
              "status": "affected",
              "version": "15.01.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Microsoft Exchange Server 2019 Cumulative Update 13",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "15.02.1258.025",
              "status": "affected",
              "version": "15.02.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_12:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1118.037",
                  "versionStartIncluding": "15.02.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_23:*:*:*:*:*:*",
                  "versionEndExcluding": "15.01.2507.032",
                  "versionStartIncluding": "15.01.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:exchange_server:*:cumulative_update_13:*:*:*:*:*:*",
                  "versionEndExcluding": "15.02.1258.025",
                  "versionStartIncluding": "15.02.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2023-08-08T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-01T01:58:32.494Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21709"
        }
      ],
      "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2023-21709",
    "datePublished": "2023-08-08T17:08:46.247Z",
    "dateReserved": "2022-12-13T18:08:03.490Z",
    "dateUpdated": "2025-02-27T21:07:14.157Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6928 (GCVE-0-2023-6928)

Vulnerability from cvelistv5 – Published: 2023-12-19 22:58 – Updated: 2024-08-02 08:42
VLAI
Title
Improper Restriction of Excessive Authentication Attempts
Summary
EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system.
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
Vendor Product Version
EuroTel ETL3100 Affected: v01c01
Affected: v01x37
Create a notification for this product.
Credits
Gjoko Krstic
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:42:08.687Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "government-resource",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-05"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ETL3100",
          "vendor": "EuroTel",
          "versions": [
            {
              "status": "affected",
              "version": "v01c01"
            },
            {
              "status": "affected",
              "version": "v01x37"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Gjoko Krstic"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003eEuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system.\u003c/p\u003e\u003cbr\u003e\n\n"
            }
          ],
          "value": "\nEuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system.\n\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-19T22:58:50.824Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-05"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improper Restriction of Excessive Authentication Attempts",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2023-6928",
    "datePublished": "2023-12-19T22:58:50.824Z",
    "dateReserved": "2023-12-18T17:18:31.806Z",
    "dateUpdated": "2024-08-02T08:42:08.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-6912 (GCVE-0-2023-6912)

Vulnerability from cvelistv5 – Published: 2023-12-20 09:35 – Updated: 2026-02-23 10:07
VLAI
Title
Brute force vulnerability in M-Files user authentication
Summary
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Impacted products
Vendor Product Version
M-Files Corporation M-Files Server Affected: 0 , < 23.12.13205.0 (custom)
Unaffected: 23.2 LTS SR6
Unaffected: 23.8 LTS SR4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:42:08.504Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "M-Files Server",
          "vendor": "M-Files Corporation",
          "versions": [
            {
              "lessThan": "23.12.13205.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "23.2 LTS SR6"
            },
            {
              "status": "unaffected",
              "version": "23.8 LTS SR4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.\u003cbr\u003e"
            }
          ],
          "value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-49",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-49: Password Brute Forcing"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T10:07:53.064Z",
        "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "shortName": "M-Files Corporation"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://product.m-files.com/security-advisories/cve-2023-6912/"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://empower.m-files.com/security-advisories/CVE-2023-6912"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to patched version.\u003cbr\u003e"
            }
          ],
          "value": "Update to patched version."
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Brute force vulnerability in M-Files user authentication",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
    "assignerShortName": "M-Files Corporation",
    "cveId": "CVE-2023-6912",
    "datePublished": "2023-12-20T09:35:46.232Z",
    "dateReserved": "2023-12-18T08:33:42.158Z",
    "dateUpdated": "2026-02-23T10:07:53.064Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-6756 (GCVE-0-2023-6756)

Vulnerability from cvelistv5 – Published: 2023-12-13 13:31 – Updated: 2024-08-02 08:42
VLAI
Title
Thecosy IceCMS Captcha login excessive authentication
Summary
A vulnerability was found in Thecosy IceCMS 2.0.1. It has been classified as problematic. Affected is an unknown function of the file /login of the component Captcha Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247884.
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
Vendor Product Version
Thecosy IceCMS Affected: 2.0.1
Create a notification for this product.
Credits
YuJiu (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:42:07.179Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.247884"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.247884"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "http://124.71.147.32:8082/IceCMS2.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Captcha Handler"
          ],
          "product": "IceCMS",
          "vendor": "Thecosy",
          "versions": [
            {
              "status": "affected",
              "version": "2.0.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "YuJiu (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Thecosy IceCMS 2.0.1. It has been classified as problematic. Affected is an unknown function of the file /login of the component Captcha Handler. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247884."
        },
        {
          "lang": "de",
          "value": "Es wurde eine problematische Schwachstelle in Thecosy IceCMS 2.0.1 ausgemacht. Betroffen hiervon ist ein unbekannter Ablauf der Datei /login der Komponente Captcha Handler. Durch Beeinflussen mit unbekannten Daten kann eine improper restriction of excessive authentication attempts-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-13T13:31:03.944Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.247884"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.247884"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "http://124.71.147.32:8082/IceCMS2.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-12-13T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-12-13T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-12-13T08:45:15.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Thecosy IceCMS Captcha login excessive authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-6756",
    "datePublished": "2023-12-13T13:31:03.944Z",
    "dateReserved": "2023-12-13T07:39:44.413Z",
    "dateUpdated": "2024-08-02T08:42:07.179Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-5754 (GCVE-0-2023-5754)

Vulnerability from cvelistv5 – Published: 2023-10-26 19:47 – Updated: 2025-01-16 21:27
VLAI
Title
Improper Restriction of Excessive Authentication Attempts in Sielco PolyEco1000
Summary
Sielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
Impacted products
Vendor Product Version
Sielco PolyEco1000 Affected: CPU:2.0.6 FPGA:10.19
Affected: CPU:1.9.4 FPGA:10.19
Affected: CPU:1.9.3 FPGA:10.19
Affected: CPU:1.7.0 FPGA:10.16
Affected: CPU:2.0.2 FPGA:10.19
Affected: CPU:2.0.0 FPGA:10.19
Create a notification for this product.
Credits
Gjoko Krstic
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:07:32.658Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5754",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-16T21:22:31.175439Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-16T21:27:38.467Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PolyEco1000",
          "vendor": "Sielco ",
          "versions": [
            {
              "status": "affected",
              "version": "CPU:2.0.6 FPGA:10.19"
            },
            {
              "status": "affected",
              "version": "CPU:1.9.4 FPGA:10.19"
            },
            {
              "status": "affected",
              "version": "CPU:1.9.3 FPGA:10.19"
            },
            {
              "status": "affected",
              "version": "CPU:1.7.0 FPGA:10.16"
            },
            {
              "status": "affected",
              "version": "CPU:2.0.2 FPGA:10.19"
            },
            {
              "status": "affected",
              "version": "CPU:2.0.0 FPGA:10.19"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": " Gjoko Krstic"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003e\u003c/p\u003e\n\n\u003cp\u003eSielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.\u003c/p\u003e\u003cbr\u003e\n\n\u003cbr\u003e\n\n"
            }
          ],
          "value": "\n\n\n\n\nSielco PolyEco1000 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.\n\n\n\n\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-26T19:47:06.226Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improper Restriction of Excessive Authentication Attempts in Sielco PolyEco1000",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2023-5754",
    "datePublished": "2023-10-26T19:47:06.226Z",
    "dateReserved": "2023-10-24T16:24:16.565Z",
    "dateUpdated": "2025-01-16T21:27:38.467Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-4625 (GCVE-0-2023-4625)

Vulnerability from cvelistv5 – Published: 2023-11-06 04:57 – Updated: 2025-02-27 20:34
VLAI
Title
Denial-of-Service(DoS) Vulnerability in Web server function on MELSEC Series CPU module
Summary
Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
Vendor Product Version
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ES Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-64MT/ES Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-80MT/ES Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MR/ES Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-64MR/ES Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-80MR/ES Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/DS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-64MT/DS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-80MT/DS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MR/DS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-64MR/DS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-80MR/DS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ESS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-64MT/ESS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-80MT/ESS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/DSS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-64MT/DSS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-80MT/DSS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/D Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-64MT/D Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-96MT/D Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-64MT/DSS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-96MT/DSS Affected: all versions (for serial number 17X**** and later)
Affected: 1.060 or later (for serial number 179**** and prior)
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS-TS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MR/DS-TS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MT/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MT/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MT/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MR/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MR/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MR/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MT/ESS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MT/ESS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MT/ESS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MT/DS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MT/DS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MT/DS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MR/DS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MR/DS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MR/DS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MT/DSS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MT/DSS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MT/DSS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MT/ES-A Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MT/ES-A Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MT/ES-A Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-24MR/ES-A Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-40MR/ES-A Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-60MR/ES-A Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-30MT/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-40MT/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-60MT/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-80MT/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-30MR/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-40MR/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-60MR/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-80MR/ES Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-30MT/ESS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-40MT/ESS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-60MT/ESS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-80MT/ESS Affected: all versions
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R00CPU Affected: versions 05 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R01CPU Affected: versions 05 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R02CPU Affected: versions 05 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R04CPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R08CPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R16CPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R32CPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R120CPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R04ENCPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R08ENCPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R16ENCPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R32ENCPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R120ENCPU Affected: versions 35 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R08PCPU Affected: versions 37 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R16PCPU Affected: versions 37 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R32PCPU Affected: versions 37 or later
Create a notification for this product.
Mitsubishi Electric Corporation MELSEC iQ-R Series R120PCPU Affected: versions 37 or later
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:31:06.570Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-014_en.pdf"
          },
          {
            "tags": [
              "government-resource",
              "x_transferred"
            ],
            "url": "https://jvn.jp/vu/JVNVU94620134"
          },
          {
            "tags": [
              "government-resource",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4625",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T21:49:50.263922Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T20:34:25.710Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-32MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-64MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-80MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-32MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-64MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-80MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-32MT/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-64MT/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-80MT/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-32MR/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-64MR/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-80MR/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-32MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-64MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-80MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-32MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-64MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5U-80MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-32MT/D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-64MT/D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-96MT/D",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-32MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-64MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-96MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions (for serial number 17X**** and later)"
            },
            {
              "status": "affected",
              "version": "1.060 or later (for serial number 179**** and prior)"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-32MT/DS-TS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-32MT/DSS-TS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UC-32MR/DS-TS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MT/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MT/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MT/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MR/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MR/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MR/DS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MT/DSS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MT/ES-A",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MT/ES-A",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MT/ES-A",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-24MR/ES-A",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-40MR/ES-A",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5UJ-60MR/ES-A",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-30MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-40MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-60MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-80MT/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-30MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-40MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-60MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-80MR/ES",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-30MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-40MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-60MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-F Series FX5S-80MT/ESS",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R00CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 05 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R01CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 05 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R02CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 05 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R04CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R08CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R16CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R32CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R120CPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R04ENCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R08ENCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R16ENCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R32ENCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R120ENCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 35 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R08PCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 37 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R16PCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 37 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R32PCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 37 or later"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MELSEC iQ-R Series R120PCPU",
          "vendor": "Mitsubishi Electric Corporation",
          "versions": [
            {
              "status": "affected",
              "version": "versions 37 or later"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login."
            }
          ],
          "value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service(DoS)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-15T05:17:45.711Z",
        "orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
        "shortName": "Mitsubishi"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-014_en.pdf"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://jvn.jp/vu/JVNVU94620134"
        },
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Denial-of-Service\uff08DoS\uff09 Vulnerability in Web server function on MELSEC Series CPU module",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
    "assignerShortName": "Mitsubishi",
    "cveId": "CVE-2023-4625",
    "datePublished": "2023-11-06T04:57:44.446Z",
    "dateReserved": "2023-08-30T12:11:44.835Z",
    "dateUpdated": "2025-02-27T20:34:25.710Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3669 (GCVE-0-2023-3669)

Vulnerability from cvelistv5 – Published: 2023-08-03 11:11 – Updated: 2025-02-27 21:11
VLAI
Title
CODESYS: Missing Brute-Force protection in CODESYS Development System
Summary
A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
Vendor Product Version
CODESYS CODESYS Development System Affected: 3.0.0.0 , < 3.5.19.20 (semver)
Create a notification for this product.
Date Public
2023-08-03 10:30
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:01:57.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert.vde.com/en/advisories/VDE-2023-023"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3669",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-26T21:51:08.351739Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T21:11:19.916Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CODESYS Development System",
          "vendor": "CODESYS",
          "versions": [
            {
              "lessThan": "3.5.19.20",
              "status": "affected",
              "version": "3.0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2023-08-03T10:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog."
            }
          ],
          "value": "A missing Brute-Force protection in CODESYS Development System prior to 3.5.19.20 allows a local attacker to have unlimited attempts of guessing the password within an import dialog."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-03T11:11:05.068Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://cert.vde.com/en/advisories/VDE-2023-023"
        }
      ],
      "source": {
        "advisory": "VDE-2023-023",
        "defect": [
          "CERT@VDE#64562"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "CODESYS: Missing Brute-Force protection in CODESYS Development System",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2023-3669",
    "datePublished": "2023-08-03T11:11:05.068Z",
    "dateReserved": "2023-07-14T07:42:23.825Z",
    "dateUpdated": "2025-02-27T21:11:19.916Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3605 (GCVE-0-2023-3605)

Vulnerability from cvelistv5 – Published: 2023-07-10 20:00 – Updated: 2024-10-15 18:33
VLAI
Title
PHPGurukul Online Shopping Portal Registration Page excessive authentication
Summary
A vulnerability was found in PHPGurukul Online Shopping Portal 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Registration Page. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-233467.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
URL Tags
https://vuldb.com/?id.233467 vdb-entrytechnical-description
https://vuldb.com/?ctiid.233467 signature
Impacted products
Credits
dewanritik (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:01:56.578Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.233467"
          },
          {
            "tags": [
              "signature",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.233467"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3605",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-15T17:29:02.650167Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-15T18:33:35.103Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Registration Page"
          ],
          "product": "Online Shopping Portal",
          "vendor": "PHPGurukul",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "dewanritik (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in PHPGurukul Online Shopping Portal 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Registration Page. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-233467."
        },
        {
          "lang": "de",
          "value": "In PHPGurukul Online Shopping Portal 1.0 wurde eine kritische Schwachstelle ausgemacht. Betroffen ist eine unbekannte Verarbeitung der Komponente Registration Page. Durch die Manipulation mit unbekannten Daten kann eine improper restriction of excessive authentication attempts-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.4,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-23T14:49:19.445Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.233467"
        },
        {
          "tags": [
            "signature"
          ],
          "url": "https://vuldb.com/?ctiid.233467"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-07-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-07-10T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-07-10T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-07-27T13:02:19.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "PHPGurukul Online Shopping Portal Registration Page excessive authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-3605",
    "datePublished": "2023-07-10T20:00:04.915Z",
    "dateReserved": "2023-07-10T19:20:05.031Z",
    "dateUpdated": "2024-10-15T18:33:35.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3548 (GCVE-0-2023-3548)

Vulnerability from cvelistv5 – Published: 2023-07-25 13:01 – Updated: 2024-10-23 19:01
VLAI
Title
IQ Wifi 6
Summary
An unauthorized user could gain account access to IQ Wifi 6 versions prior to 2.0.2 by conducting a brute force authentication attack.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
jci
Impacted products
Vendor Product Version
Johnson Controls IQ Wifi 6 Affected: 0 , < 2.0.2 (custom)
Create a notification for this product.
johnsoncontrols iq_wifi_6 Affected: 0 , < 2.0.2 (custom)
    cpe:2.3:h:johnsoncontrols:iq_wifi_6:-:*:*:*:*:*:*:*
Create a notification for this product.
Date Public
2023-07-25 12:56
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:01:56.452Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-206-04"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:johnsoncontrols:iq_wifi_6:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "iq_wifi_6",
            "vendor": "johnsoncontrols",
            "versions": [
              {
                "lessThan": "2.0.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3548",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-23T19:00:40.374965Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-23T19:01:43.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "IQ Wifi 6",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "lessThan": "2.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2023-07-25T12:56:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An unauthorized user could gain account access to IQ Wifi 6 versions prior to 2.0.2 by conducting a brute force authentication attack.\u003cbr\u003e"
            }
          ],
          "value": "An unauthorized user could gain account access to IQ Wifi 6 versions prior to 2.0.2 by conducting a brute force authentication attack.\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-112",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-112 Brute Force"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-07-25T13:01:04.564Z",
        "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "shortName": "jci"
      },
      "references": [
        {
          "url": "https://www.johnsoncontrols.com/cyber-solutions/security-advisories"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-206-04"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade\u0026nbsp;IQ Wifi 6 firmware to version 2.0.2.\u003cbr\u003eThe firmware update will be pushed to all available devices in the field.\u003cbr\u003eThe firmware update can also be manually loaded by applying the patch tag \u201ciqwifi2.0.2\u201d on the device after navigating to its firmware update page.\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Upgrade\u00a0IQ Wifi 6 firmware to version 2.0.2.\nThe firmware update will be pushed to all available devices in the field.\nThe firmware update can also be manually loaded by applying the patch tag \u201ciqwifi2.0.2\u201d on the device after navigating to its firmware update page.\n\n"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IQ Wifi 6",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
    "assignerShortName": "jci",
    "cveId": "CVE-2023-3548",
    "datePublished": "2023-07-25T13:01:04.564Z",
    "dateReserved": "2023-07-07T19:02:52.585Z",
    "dateUpdated": "2024-10-23T19:01:43.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-3173 (GCVE-0-2023-3173)

Vulnerability from cvelistv5 – Published: 2023-06-09 00:00 – Updated: 2025-01-06 17:11
VLAI
Title
Improper Restriction of Excessive Authentication Attempts in froxlor/froxlor
Summary
Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
Impacted products
Vendor Product Version
froxlor froxlor/froxlor Affected: unspecified , < 2.0.20 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:48:07.538Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/4d715f76-950d-4251-8139-3dffea798f14"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/froxlor/froxlor/commit/464216072456efb35b4541c58e7016463dfbd9a6"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-3173",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-06T17:11:52.944889Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-06T17:11:57.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "froxlor/froxlor",
          "vendor": "froxlor",
          "versions": [
            {
              "lessThan": "2.0.20",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-09T00:00:00.000Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/4d715f76-950d-4251-8139-3dffea798f14"
        },
        {
          "url": "https://github.com/froxlor/froxlor/commit/464216072456efb35b4541c58e7016463dfbd9a6"
        }
      ],
      "source": {
        "advisory": "4d715f76-950d-4251-8139-3dffea798f14",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Restriction of Excessive Authentication Attempts in froxlor/froxlor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2023-3173",
    "datePublished": "2023-06-09T00:00:00.000Z",
    "dateReserved": "2023-06-09T00:00:00.000Z",
    "dateUpdated": "2025-01-06T17:11:57.332Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.