Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

900 vulnerabilities reference this CWE, most recent first.

CVE-2026-1409 (GCVE-0-2026-1409)

Vulnerability from cvelistv5 – Published: 2026-01-25 23:32 – Updated: 2026-02-23 08:54
VLAI
Title
Beetel 777VR1 UART excessive authentication
Summary
A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack's complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
  • CWE-799 - Improper Control of Interaction Frequency
Assigner
References
URL Tags
https://vuldb.com/?id.342798 vdb-entrytechnical-description
https://vuldb.com/?ctiid.342798 signaturepermissions-required
https://vuldb.com/?submit.739399 third-party-advisory
https://gist.github.com/raghav20232023/19900b4274… exploit
Impacted products
Vendor Product Version
Beetel 777VR1 Affected: 01.00.09
Affected: 01.00.09_55
Create a notification for this product.
Credits
raghav_2026 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1409",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-26T17:29:53.210725Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-26T17:29:59.180Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "UART Interface"
          ],
          "product": "777VR1",
          "vendor": "Beetel",
          "versions": [
            {
              "status": "affected",
              "version": "01.00.09"
            },
            {
              "status": "affected",
              "version": "01.00.09_55"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "raghav_2026 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack\u0027s complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 2,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 2,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 1.2,
            "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-799",
              "description": "Improper Control of Interaction Frequency",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T08:54:25.875Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-342798 | Beetel 777VR1 UART excessive authentication",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.342798"
        },
        {
          "name": "VDB-342798 | CTI Indicators (IOB, IOC, TTP)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.342798"
        },
        {
          "name": "Submit #739399 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-307 Improper Restriction - Excessive Authentication Attempts",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.739399"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://gist.github.com/raghav20232023/19900b427445adf37f64ae953611bfce"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-25T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-01-25T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-01-31T07:44:08.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Beetel 777VR1 UART excessive authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-1409",
    "datePublished": "2026-01-25T23:32:06.715Z",
    "dateReserved": "2026-01-25T09:43:09.352Z",
    "dateUpdated": "2026-02-23T08:54:25.875Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-69246 (GCVE-0-2025-69246)

Vulnerability from cvelistv5 – Published: 2026-03-16 11:54 – Updated: 2026-03-16 13:49 X_Open Source
VLAI
Title
Lack of bruteforce protection in Raytha CMS
Summary
Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
Vendor Product Version
Raytha Raytha Affected: 0 , < 1.4.6 (semver)
Create a notification for this product.
Credits
Daniel Basta
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-69246",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T13:36:22.059525Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T13:49:55.933Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Raytha",
          "repo": "https://github.com/raythahq/raytha",
          "vendor": "Raytha",
          "versions": [
            {
              "lessThan": "1.4.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Basta"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Raytha CMS does not have any brute force protection mechanism implemented. \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIt allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 1.4.6."
            }
          ],
          "value": "Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges.\n\nThis issue was fixed in version 1.4.6."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-49",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-49 Password Brute Forcing"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-16T11:54:50.995Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/03/CVE-2025-69236"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://raytha.com"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Lack of bruteforce protection in Raytha CMS",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2025-69246",
    "datePublished": "2026-03-16T11:54:50.995Z",
    "dateReserved": "2025-12-30T08:44:21.411Z",
    "dateUpdated": "2026-03-16T13:49:55.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-67853 (GCVE-0-2025-67853)

Vulnerability from cvelistv5 – Published: 2026-02-03 10:52 – Updated: 2026-02-03 15:43
VLAI
Title
Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service
Summary
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
URL Tags
https://access.redhat.com/security/cve/CVE-2025-67853 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2423847 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Affected: 4.1.0 , < 4.1.22 (semver)
Affected: 4.4.0 , < 4.4.12 (semver)
Affected: 4.5.0 , < 4.5.8 (semver)
Affected: 5.0.0 , < 5.0.4 (semver)
Affected: 5.1.0 , < 5.1.1 (semver)
Date Public
2025-12-15 04:00
Credits
Red Hat would like to thank Petr Skoda for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-67853",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:43:42.458056Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:43:49.951Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/moodle/moodle/",
          "defaultStatus": "unaffected",
          "packageName": "moodle",
          "versions": [
            {
              "lessThan": "4.1.22",
              "status": "affected",
              "version": "4.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4.12",
              "status": "affected",
              "version": "4.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5.8",
              "status": "affected",
              "version": "4.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.0.4",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.1.1",
              "status": "affected",
              "version": "5.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Petr Skoda for reporting this issue."
        }
      ],
      "datePublic": "2025-12-15T04:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T10:52:12.755Z",
        "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
        "shortName": "fedora"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-67853"
        },
        {
          "name": "RHBZ#2423847",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423847"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-19T12:15:54.071Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-12-15T04:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service",
      "x_redhatCweChain": "CWE-307: Improper Restriction of Excessive Authentication Attempts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
    "assignerShortName": "fedora",
    "cveId": "CVE-2025-67853",
    "datePublished": "2026-02-03T10:52:12.755Z",
    "dateReserved": "2025-12-12T13:00:24.330Z",
    "dateUpdated": "2026-02-03T15:43:49.951Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66482 (GCVE-0-2025-66482)

Vulnerability from cvelistv5 – Published: 2025-12-15 23:18 – Updated: 2025-12-16 15:09
VLAI
Title
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
Summary
Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
  • CWE-1188 - Insecure Default Initialization of Resource
Assigner
References
Impacted products
Vendor Product Version
misskey-dev misskey Affected: >= 2025.9.1, < 2025.12.0-alpha.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66482",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T14:37:27.348528Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T15:09:19.925Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "misskey",
          "vendor": "misskey-dev",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2025.9.1, \u003c 2025.12.0-alpha.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0-alpha.2, making it still vulnerable if the configuration is not set correctly. This is patched in v2025.12.0-alpha.2 by flipping default value of `trustProxy` to `false`. Users of a trusted reverse proxy who are unsure if they manually overode this value should check their config for optimal behavior. Users are running Misskey with a trusted reverse proxy should not be affected by this vulnerability. From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188: Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-15T23:18:53.415Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/misskey-dev/misskey/security/advisories/GHSA-wwrj-3hvj-prpm"
        },
        {
          "name": "https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/misskey-dev/misskey/commit/5512898463fa8487b9e6488912f35102b91f25f7"
        }
      ],
      "source": {
        "advisory": "GHSA-wwrj-3hvj-prpm",
        "discovery": "UNKNOWN"
      },
      "title": "Misskey has a login rate limit bypass via spoofed X-Forwarded-For header"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66482",
    "datePublished": "2025-12-15T23:18:37.295Z",
    "dateReserved": "2025-12-02T17:09:52.016Z",
    "dateUpdated": "2025-12-16T15:09:19.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66204 (GCVE-0-2025-66204)

Vulnerability from cvelistv5 – Published: 2025-12-08 23:50 – Updated: 2025-12-09 16:03
VLAI
Title
WBCE CMS allows brute-force protection bypass using X-Forwarded-For header
Summary
WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
  • CWE-693 - Protection Mechanism Failure
Assigner
Impacted products
Vendor Product Version
WBCE WBCE_CMS Affected: >= 1.6.4, < 1.6.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66204",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T14:18:12.951947Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-09T16:03:59.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WBCE_CMS",
          "vendor": "WBCE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.6.4, \u003c 1.6.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-693",
              "description": "CWE-693: Protection Mechanism Failure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T23:50:58.647Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WBCE/WBCE_CMS/security/advisories/GHSA-f676-f375-m7mw"
        },
        {
          "name": "https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WBCE/WBCE_CMS/commit/3765baddf27f31bbbea9c0228c452268621b25e5"
        },
        {
          "name": "https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5"
        }
      ],
      "source": {
        "advisory": "GHSA-f676-f375-m7mw",
        "discovery": "UNKNOWN"
      },
      "title": "WBCE CMS allows brute-force protection bypass using X-Forwarded-For header"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66204",
    "datePublished": "2025-12-08T23:50:58.647Z",
    "dateReserved": "2025-11-24T23:01:29.677Z",
    "dateUpdated": "2025-12-09T16:03:59.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64526 (GCVE-0-2025-64526)

Vulnerability from cvelistv5 – Published: 2026-05-14 18:32 – Updated: 2026-05-16 00:49
VLAI
Title
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Summary
Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64526",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-16T00:48:16.468125Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-16T00:49:25.996Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "strapi",
          "vendor": "strapi",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.45.0"
            }
          ]
        },
        {
          "product": "@strapi/plugin-users-permissions",
          "vendor": "strapi",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.45.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts. The rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request. The patch in version 5.45.0 maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T18:33:56.463Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw"
        },
        {
          "name": "https://github.com/strapi/strapi/pull/24818",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strapi/strapi/pull/24818"
        },
        {
          "name": "https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db"
        },
        {
          "name": "https://github.com/strapi/strapi/releases/tag/v5.45.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strapi/strapi/releases/tag/v5.45.0"
        }
      ],
      "source": {
        "advisory": "GHSA-7mqx-wwh4-f9fw",
        "discovery": "UNKNOWN"
      },
      "title": "Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64526",
    "datePublished": "2026-05-14T18:32:01.998Z",
    "dateReserved": "2025-11-05T21:15:39.401Z",
    "dateUpdated": "2026-05-16T00:49:25.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64310 (GCVE-0-2025-64310)

Vulnerability from cvelistv5 – Published: 2025-11-21 02:36 – Updated: 2025-12-23 02:28
VLAI
Summary
EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper restriction of excessive authentication attempts
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64310",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-21T14:46:33.297574Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-21T14:58:53.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EPSON WebConfig for SEIKO EPSON Projector Products",
          "vendor": "SEIKO EPSON CORPORATION",
          "versions": [
            {
              "status": "affected",
              "version": "see the information provided by the vendor"
            }
          ]
        },
        {
          "product": "Epson Web Control for SEIKO EPSON Projector Products",
          "vendor": "SEIKO EPSON CORPORATION",
          "versions": [
            {
              "status": "affected",
              "version": "see the information provided by the vendor"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user\u0027s password may be identified through a brute force attack."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "Improper restriction of excessive authentication attempts",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T02:28:01.044Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.epson.co.uk/en_GB/faq/KA-02041/contents?loc=en-us"
        },
        {
          "url": "https://www.epson.jp/support/misc_t/251120_oshirase.htm"
        },
        {
          "url": "https://jvn.jp/en/vu/JVNVU95021911/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2025-64310",
    "datePublished": "2025-11-21T02:36:35.115Z",
    "dateReserved": "2025-10-30T00:25:25.443Z",
    "dateUpdated": "2025-12-23T02:28:01.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-64102 (GCVE-0-2025-64102)

Vulnerability from cvelistv5 – Published: 2025-10-29 18:36 – Updated: 2025-10-30 14:53
VLAI
Title
Zitadel allows brute-forcing authentication factors
Summary
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
Vendor Product Version
zitadel zitadel Affected: >= 4.0.0-rc.1, < 4.6.0
Affected: >= 3.0.0-rc.1, < 3.4.3
Affected: >= 2.0.0, < 2.71.18
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-64102",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-30T14:53:46.409256Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-30T14:53:53.184Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zitadel",
          "vendor": "zitadel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0-rc.1, \u003c 4.6.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-rc.1, \u003c 3.4.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.71.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, an attacker can perform an online brute-force attack on OTP, TOTP, and passwords. While Zitadel allows preventing online brute force attacks in scenarios like TOTP, Email OTP, or passwords using a lockout mechanism. The mechanism is not enabled by default and can cause a denial of service for the corresponding user if enabled. Additionally, the mitigation strategies were not fully implemented in the more recent resource-based APIs. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T18:36:15.390Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878"
        },
        {
          "name": "https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/zitadel/zitadel/commit/b8db8cdf9cc8ea13f461758aef12457f8b7d972a"
        }
      ],
      "source": {
        "advisory": "GHSA-xrw9-r35x-x878",
        "discovery": "UNKNOWN"
      },
      "title": "Zitadel allows brute-forcing authentication factors"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-64102",
    "datePublished": "2025-10-29T18:36:15.390Z",
    "dateReserved": "2025-10-27T15:26:14.127Z",
    "dateUpdated": "2025-10-30T14:53:53.184Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-62399 (GCVE-0-2025-62399)

Vulnerability from cvelistv5 – Published: 2025-10-23 11:28 – Updated: 2025-10-23 14:52
VLAI
Title
Moodle: password brute force risk when mobile/web services enabled
Summary
Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
URL Tags
https://access.redhat.com/security/cve/CVE-2025-62399 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2404432 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Affected: 5.0.0 , < 5.0.3 (semver)
Affected: 4.5.0 , < 4.5.7 (semver)
Affected: 4.4.0 , < 4.4.11 (semver)
Affected: 4.1.0 , < 4.1.21 (semver)
Date Public
2025-10-14 04:00
Credits
Red Hat would like to thank Petr Skoda for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62399",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-23T14:51:39.821636Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-23T14:52:02.496Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://git.moodle.org",
          "defaultStatus": "unaffected",
          "packageName": "moodle",
          "versions": [
            {
              "lessThan": "5.0.3",
              "status": "affected",
              "version": "5.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5.7",
              "status": "affected",
              "version": "4.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.4.11",
              "status": "affected",
              "version": "4.4.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.1.21",
              "status": "affected",
              "version": "4.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Petr Skoda for reporting this issue."
        }
      ],
      "datePublic": "2025-10-14T04:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Moodle\u2019s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-23T11:28:39.756Z",
        "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
        "shortName": "fedora"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-62399"
        },
        {
          "name": "RHBZ#2404432",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404432"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-16T14:36:07.887Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-10-14T04:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Moodle: password brute force risk when mobile/web services enabled",
      "x_redhatCweChain": "CWE-307: Improper Restriction of Excessive Authentication Attempts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
    "assignerShortName": "fedora",
    "cveId": "CVE-2025-62399",
    "datePublished": "2025-10-23T11:28:39.756Z",
    "dateReserved": "2025-10-13T10:12:30.925Z",
    "dateUpdated": "2025-10-23T14:52:02.496Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-62313 (GCVE-0-2025-62313)

Vulnerability from cvelistv5 – Published: 2026-05-14 16:07 – Updated: 2026-05-14 18:29
VLAI
Title
HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced.
Summary
HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
HCL
Impacted products
Vendor Product Version
HCL AION Affected: 2.1.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62313",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T18:28:52.269348Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T18:29:09.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AION",
          "vendor": "HCL",
          "versions": [
            {
              "status": "affected",
              "version": "2.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions."
            }
          ],
          "value": "HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T16:07:54.261Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130636"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced.",
      "x_generator": {
        "engine": "Vulnogram 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2025-62313",
    "datePublished": "2026-05-14T16:07:54.261Z",
    "dateReserved": "2025-10-10T09:04:16.878Z",
    "dateUpdated": "2026-05-14T18:29:09.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.