CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
900 vulnerabilities reference this CWE, most recent first.
GHSA-RPC6-M3H5-GMF2
Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-04-29 21:31The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.
{
"affected": [],
"aliases": [
"CVE-2026-0972"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-74"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T15:16:35Z",
"severity": "HIGH"
},
"details": "The login limit is not enforced on the\u00a0SFTP service of Fortra\u0027s GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force.",
"id": "GHSA-rpc6-m3h5-gmf2",
"modified": "2026-04-29T21:31:22Z",
"published": "2026-04-21T15:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0972"
},
{
"type": "WEB",
"url": "https://fortra.com/security/advisories/product-security/fi-2026-004"
},
{
"type": "WEB",
"url": "https://www.fortra.com/security/advisories/product-security/fi-2026-006"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2026/Apr/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RPW6-C888-QG9M
Vulnerability from github – Published: 2025-04-14 09:30 – Updated: 2025-04-14 09:30A vulnerability classified as problematic was found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected by this vulnerability is an unknown functionality of the file /admin/login.php. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-3556"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T08:15:14Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic was found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected by this vulnerability is an unknown functionality of the file /admin/login.php. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-rpw6-c888-qg9m",
"modified": "2025-04-14T09:30:24Z",
"published": "2025-04-14T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3556"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.304597"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.304597"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.549187"
},
{
"type": "WEB",
"url": "https://www.websecurityinsights.my.id/2025/04/script-and-tools-ecommerce-30.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RQ42-58QF-V3QX
Vulnerability from github – Published: 2023-11-17 21:38 – Updated: 2023-11-20 22:06Summary
Application is using two login methods and one of them is using GET request for authentication. There is no rate limiting security feature at GET request or backend is not validating that.
PoC
Go to /?username=admin&password=password&submit=
Capture request in Burpsuite intruder and add payload marker at password parameter value.
Start the attack after adding your password list
We have added 74 passwords
Check screenshot for more info

Impact
An attacker can Bruteforce user accounts and using GET request for authentication is not recommended because certain web servers logs all requests in old logs which can also store victim user credentials.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "23.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46745"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-17T21:38:42Z",
"nvd_published_at": "2023-11-17T22:15:07Z",
"severity": "MODERATE"
},
"details": "### Summary\nApplication is using two login methods and one of them is using GET request for authentication. There is no rate limiting security feature at GET request or backend is not validating that. \n\n### PoC\nGo to /?username=admin\u0026password=password\u0026submit=\nCapture request in Burpsuite intruder and add payload marker at password parameter value.\nStart the attack after adding your password list\nWe have added 74 passwords\nCheck screenshot for more info\n\u003cimg width=\"1241\" alt=\"Screenshot 2023-11-06 at 8 55 19\u202fPM\" src=\"https://user-images.githubusercontent.com/31764504/280905148-42274f1e-f869-4145-95b4-71c0bffde3a0.png\"\u003e\n\n### Impact\nAn attacker can Bruteforce user accounts and using GET request for authentication is not recommended because certain web servers logs all requests in old logs which can also store victim user credentials.",
"id": "GHSA-rq42-58qf-v3qx",
"modified": "2023-11-20T22:06:37Z",
"published": "2023-11-17T21:38:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-rq42-58qf-v3qx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46745"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/pull/15558"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/commit/7c006e96251ae1d32e1a015b361a7bfbb815c028"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
},
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/releases/tag/23.11.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS vulnerable to rate limiting bypass on login page"
}
GHSA-RQVJ-FC2X-99Q6
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2024-05-17 21:56An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "mediawiki/core"
},
"ranges": [
{
"events": [
{
"introduced": "1.31.0"
},
{
"fixed": "1.31.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "mediawiki/core"
},
"ranges": [
{
"events": [
{
"introduced": "1.32.0"
},
{
"fixed": "1.34.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-25827"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-17T21:56:33Z",
"nvd_published_at": "2020-09-27T21:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the OATHAuth extension in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. For Wikis using OATHAuth on a farm/cluster (such as via CentralAuth), rate limiting of OATH tokens is only done on a single site level. Thus, multiple requests can be made across many wikis/sites concurrently.",
"id": "GHSA-rqvj-fc2x-99q6",
"modified": "2024-05-17T21:56:33Z",
"published": "2022-05-24T17:29:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25827"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2020-25827.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/wikimedia/mediawiki"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RTTPZ7XMDS66I442OLLHXBDNP2LCBJU6"
},
{
"type": "WEB",
"url": "https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048480.html"
},
{
"type": "WEB",
"url": "https://lists.wikimedia.org/pipermail/mediawiki-l/2020-September/048488.html"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T251661"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OATHAuth extension in MediaWiki is not implementing rate limit"
}
GHSA-RV94-X2C7-F4PX
Vulnerability from github – Published: 2022-04-21 00:00 – Updated: 2022-04-30 00:00There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials.
{
"affected": [],
"aliases": [
"CVE-2022-26519"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "There is no limit to the number of attempts to authenticate for the local configuration pages for the Hills ComNav Version 3002-19 interface, which allows local attackers to brute-force credentials.",
"id": "GHSA-rv94-x2c7-f4px",
"modified": "2022-04-30T00:00:47Z",
"published": "2022-04-21T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26519"
},
{
"type": "WEB",
"url": "https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RV9F-9W9V-4X2W
Vulnerability from github – Published: 2023-01-31 00:30 – Updated: 2023-02-07 03:30Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior could bypass the brute force protection, allowing multiple attempts to force a login.
{
"affected": [],
"aliases": [
"CVE-2023-24020"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior could bypass the brute force protection, allowing multiple attempts to force a login.",
"id": "GHSA-rv9f-9w9v-4x2w",
"modified": "2023-02-07T03:30:23Z",
"published": "2023-01-31T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24020"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVGF-R637-RXV5
Vulnerability from github – Published: 2025-09-10 09:30 – Updated: 2025-09-10 09:30It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the 'Forgot Password' functionality as an oracle.
{
"affected": [],
"aliases": [
"CVE-2025-36758"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-10T09:15:32Z",
"severity": "MODERATE"
},
"details": "It is possible to bypass the clipping level of authentication attempts in SolaX Cloud through the use of the \u0027Forgot Password\u0027 functionality as an oracle.",
"id": "GHSA-rvgf-r637-rxv5",
"modified": "2025-09-10T09:30:58Z",
"published": "2025-09-10T09:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36758"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/CVE-2025-36758"
},
{
"type": "WEB",
"url": "https://csirt.divd.nl/DIVD-2025-00015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RVXR-QVVC-M3G5
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-05-24 17:03An information disclosure vulnerability exists in GitLab CE/EE <v12.3.2, <v12.2.6, and <v12.1.12 that allowed project milestones to be disclosed via groups browsing.
{
"affected": [],
"aliases": [
"CVE-2019-15577"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-18T21:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in GitLab CE/EE \u003cv12.3.2, \u003cv12.2.6, and \u003cv12.1.12 that allowed project milestones to be disclosed via groups browsing.",
"id": "GHSA-rvxr-qvvc-m3g5",
"modified": "2022-05-24T17:03:59Z",
"published": "2022-05-24T17:03:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15577"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/636560"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWQJ-V2JQ-J266
Vulnerability from github – Published: 2022-02-11 00:00 – Updated: 2022-02-17 00:00A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)
{
"affected": [],
"aliases": [
"CVE-2022-22810"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T23:15:00Z",
"severity": "CRITICAL"
},
"details": "A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could allow an attacker to manipulate the admin after numerous attempts at guessing credentials. Affected Product: spaceLYnk (V2.6.2 and prior), Wiser for KNX (formerly homeLYnk) (V2.6.2 and prior), fellerLYnk (V2.6.2 and prior)",
"id": "GHSA-rwqj-v2jq-j266",
"modified": "2022-02-17T00:00:44Z",
"published": "2022-02-11T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22810"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-039-04"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RXJ6-C9PH-RRRH
Vulnerability from github – Published: 2022-10-30 12:00 – Updated: 2024-05-02 18:30PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.
{
"affected": [],
"aliases": [
"CVE-2022-44022"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-30T00:15:00Z",
"severity": "MODERATE"
},
"details": "PwnDoc through 0.5.3 might allow remote attackers to identify valid user account names by leveraging response timings for authentication attempts.",
"id": "GHSA-rxj6-c9ph-rrrh",
"modified": "2024-05-02T18:30:50Z",
"published": "2022-10-30T12:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44022"
},
{
"type": "WEB",
"url": "https://github.com/pwndoc/pwndoc/issues/381"
},
{
"type": "WEB",
"url": "https://cve.nstsec.com/cve-2022-44022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.