CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-566F-J62V-7P4F
Vulnerability from github – Published: 2023-12-07 12:30 – Updated: 2026-04-28 21:33Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.
{
"affected": [],
"aliases": [
"CVE-2023-35039"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-07T12:15:07Z",
"severity": "CRITICAL"
},
"details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.",
"id": "GHSA-566f-j62v-7p4f",
"modified": "2026-04-28T21:33:18Z",
"published": "2023-12-07T12:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35039"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/bdvs-password-reset/wordpress-password-reset-with-code-for-wordpress-rest-api-plugin-0-0-15-privilege-escalation-due-to-weak-pin-generation-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-56CX-WF47-HX7W
Vulnerability from github – Published: 2021-08-09 20:38 – Updated: 2023-07-06 21:34firefly-iii is vulnerable to Improper Lack of Restriction of Excessive Authentication Attempts
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "grumpydictator/firefly-iii"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3663"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-02T22:13:58Z",
"nvd_published_at": "2021-07-25T14:15:00Z",
"severity": "MODERATE"
},
"details": "firefly-iii is vulnerable to Improper Lack of Restriction of Excessive Authentication Attempts",
"id": "GHSA-56cx-wf47-hx7w",
"modified": "2023-07-06T21:34:16Z",
"published": "2021-08-09T20:38:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3663"
},
{
"type": "WEB",
"url": "https://github.com/firefly-iii/firefly-iii/commit/afc9f4b7ebc8a240c85864a6e1abda62bfeefae8"
},
{
"type": "PACKAGE",
"url": "https://github.com/firefly-iii/firefly-iii"
},
{
"type": "WEB",
"url": "https://github.com/firefly-iii/firefly-iii/releases/tag/5.5.13"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/497bdf6d-7dba-49c3-8011-1c64dfbb3380"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": " No Restriction of Excessive Authentication Attempts in Firefly III"
}
GHSA-57JG-M997-CX3Q
Vulnerability from github – Published: 2025-06-16 14:52 – Updated: 2025-06-16 21:47Impact
The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing.
Patches
This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918.
References
Thanks to obscuredeer for reporting this issue at HackerOne.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "weblate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47951"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-16T14:52:53Z",
"nvd_published_at": "2025-06-16T21:15:24Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThe verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allows an attacker with valid credentials to automate OTP guessing. \n\n### Patches\n\nThis issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/14918.\n\n### References\n\nThanks to [obscuredeer](https://hackerone.com/obscuredeer) for reporting this [issue at HackerOne](https://hackerone.com/reports/3150564).",
"id": "GHSA-57jg-m997-cx3q",
"modified": "2025-06-16T21:47:01Z",
"published": "2025-06-16T14:52:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-57jg-m997-cx3q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47951"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/pull/14918"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/commit/f806293451248c5d95e45b3b507e9d158bc4f384"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3150564"
},
{
"type": "PACKAGE",
"url": "https://github.com/WeblateOrg/weblate"
},
{
"type": "WEB",
"url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.12.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Weblate lacks rate limiting when verifying second factor"
}
GHSA-587H-JW63-JWF2
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user's mailbox
{
"affected": [],
"aliases": [
"CVE-2020-27423"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-16T16:15:00Z",
"severity": "HIGH"
},
"details": "Anuko Time Tracker v1.19.23.5311 lacks rate limit on the password reset module which allows attacker to perform Denial of Service attack on any legitimate user\u0027s mailbox",
"id": "GHSA-587h-jw63-jwf2",
"modified": "2022-05-24T17:34:17Z",
"published": "2022-05-24T17:34:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27423"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/160052/Anuko-Time-Tracker-1.19.23.5311-Missing-Rate-Limiting.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-58X6-MQ8J-R7VC
Vulnerability from github – Published: 2022-05-24 17:11 – Updated: 2022-05-24 17:11The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP.
{
"affected": [],
"aliases": [
"CVE-2019-13394"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-13T18:15:00Z",
"severity": "MODERATE"
},
"details": "The Voo branded NETGEAR CG3700b custom firmware V2.02.03 uses HTTP Basic Authentication over cleartext HTTP.",
"id": "GHSA-58x6-mq8j-r7vc",
"modified": "2022-05-24T17:11:25Z",
"published": "2022-05-24T17:11:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13394"
},
{
"type": "WEB",
"url": "https://www.doyler.net/security-not-included/voo-netgear-cg3700b-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-59H5-F896-QX2F
Vulnerability from github – Published: 2024-06-10 12:30 – Updated: 2024-06-10 12:30Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.
{
"affected": [],
"aliases": [
"CVE-2024-28833"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-10T12:15:09Z",
"severity": "MODERATE"
},
"details": "Improper restriction of excessive authentication attempts with two factor authentication methods in Checkmk 2.3 before 2.3.0p6 facilitates brute-forcing of second factor mechanisms.",
"id": "GHSA-59h5-f896-qx2f",
"modified": "2024-06-10T12:30:42Z",
"published": "2024-06-10T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28833"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/16830"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-59XC-5V89-R7PR
Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-10 20:25Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T20:25:02Z",
"nvd_published_at": "2026-04-09T22:16:34Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.",
"id": "GHSA-59xc-5v89-r7pr",
"modified": "2026-04-10T20:25:02Z",
"published": "2026-04-10T00:30:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35646"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token",
"withdrawn": "2026-04-10T20:25:02Z"
}
GHSA-5C8J-7C6C-838X
Vulnerability from github – Published: 2022-01-19 00:01 – Updated: 2026-02-23 09:31Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
{
"affected": [],
"aliases": [
"CVE-2021-41807"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-18T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.",
"id": "GHSA-5c8j-7c6c-838x",
"modified": "2026-02-23T09:31:16Z",
"published": "2022-01-19T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41807"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2021-41807"
},
{
"type": "WEB",
"url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41807"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CF8-VRR8-8HJM
Vulnerability from github – Published: 2023-03-03 22:47 – Updated: 2023-03-03 22:47Impact
Users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros.
Patches
The issue is applied on versions 14.7-rc-1, 13.4.4, and 13.10.9.
Workarounds
The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, and 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.
References
- Jira: https://jira.xwiki.org/browse/XWIKI-19949
- Patch: https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-livetable-ui"
},
"ranges": [
{
"events": [
{
"introduced": "3.2-m3"
},
{
"fixed": "13.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
},
"ranges": [
{
"events": [
{
"introduced": "3.2-m3"
},
{
"fixed": "13.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-livetable-ui"
},
"ranges": [
{
"events": [
{
"introduced": "13.5.0"
},
{
"fixed": "13.10.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
},
"ranges": [
{
"events": [
{
"introduced": "13.5.0"
},
{
"fixed": "13.10.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-livetable-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "14.7-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "14.7-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26476"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-03T22:47:49Z",
"nvd_published_at": "2023-03-02T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nUsers can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`.\n\n### Patches\nThe issue is applied on versions 14.7-rc-1, 13.4.4, and 13.10.9.\n\n### Workarounds\nThe issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, and 13.10.9 and higher, or in version \u003e= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`.\n\n### References\n- Jira: https://jira.xwiki.org/browse/XWIKI-19949\n- Patch: https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n- Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-5cf8-vrr8-8hjm",
"modified": "2023-03-03T22:47:49Z",
"published": "2023-03-03T22:47:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5cf8-vrr8-8hjm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26476"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-19949"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform packages Expose Sensitive Information to an Unauthorized Actor"
}
GHSA-5CX4-W4FH-FR57
Vulnerability from github – Published: 2026-02-03 12:30 – Updated: 2026-02-03 19:15A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0-beta"
},
{
"fixed": "4.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0-beta"
},
{
"fixed": "4.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-beta"
},
{
"fixed": "5.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0-beta"
},
{
"fixed": "5.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67853"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-03T19:15:22Z",
"nvd_published_at": "2026-02-03T11:15:55Z",
"severity": "HIGH"
},
"details": "A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.",
"id": "GHSA-5cx4-w4fh-fr57",
"modified": "2026-02-03T19:15:22Z",
"published": "2026-02-03T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67853"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-67853"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423847"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=471303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle Affected by Improper Restriction of Excessive Authentication Attempts"
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.