Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

905 vulnerabilities reference this CWE, most recent first.

CVE-2014-5414 (GCVE-0-2014-5414)

Vulnerability from cvelistv5 – Published: 2016-10-05 10:00 – Updated: 2025-11-04 23:09
VLAI
Title
Beckhoff Embedded PC Images and TwinCAT Components Improper Restriction of Excessive Authentication Attempts
Summary
Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.
CWE
Assigner
Date Public
2016-10-04 06:00
Credits
Gregor Bonney from FH Aachen University of Applied Sciences
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T11:41:49.195Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "93349",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93349"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Embedded PC Images",
          "vendor": "Beckhoff",
          "versions": [
            {
              "lessThan": "October 22, 2014",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TwinCAT Components featuring Automation Device Specification (ADS) communication",
          "vendor": "Beckhoff",
          "versions": [
            {
              "status": "affected",
              "version": "All"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gregor Bonney from FH Aachen University of Applied Sciences"
        }
      ],
      "datePublic": "2016-10-04T06:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eBeckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack.\u003c/p\u003e"
            }
          ],
          "value": "Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-04T23:09:34.639Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "93349",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93349"
        },
        {
          "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf"
        },
        {
          "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf"
        },
        {
          "url": "https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-16-278-02"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2016/icsa-16-278-02.json"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eBeckhoff recommends in their IPC Security Manual \n(\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf\"\u003ehttps://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf\u003c/a\u003e)\n to use network and software firewalls to block all network ports except\n the ones that are needed. Beckhoff also recommends that default \npasswords be changed during commissioning before connecting systems to \nthe network.\u003c/p\u003e\n\u003cp\u003eIn their advisories (Advisory 2014-001: Potential \nmisuse of several administrative services, \n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf\"\u003ehttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf\u003c/a\u003e. Advisory 2014-002: ADS communication port allows password bruteforce, \n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf\"\u003ehttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf\u003c/a\u003e. Advisory2014-003: Recommendation to change default passwords, \n\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf\"\u003ehttps://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf\u003c/a\u003e\u0026nbsp;which were published November \n17, 2014) for these issues, Beckhoff also recommends the following \nmitigation solutions:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate images to build October 22, 2014, or newer, which solve these problems by disabling the services by default.\u003c/li\u003e\n\u003cli\u003eDisable the Windows CE Remote Configuration Tool by deleting the \nsubtree \u201c/remoteadmin.\u201d The configuration of the web server paths can be\n found in the Windows registry at the path \n\u201cHKEY_LOCAL_MACHINE\\COMM\\HTTPD\\VROOTS\\.\u201d\u003c/li\u003e\n\u003cli\u003eDisable startup of CE Remote Display service (cerdisp.exe) with \ndeleting the registry key containing the \u201cCeRDisp.exe\u201d \n[-HKEY_LOCAL_MACHINE\\init\\Launch90].\u003c/li\u003e\n\u003cli\u003eDisable telnet by setting the registry key [HKEY_LOCAL_MACHINE\\Services\\TELNETD\\Flags] to dword: 4\u003c/li\u003e\n\u003cli\u003eRestrict ADS communication to trusted networks only.\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "Beckhoff recommends in their IPC Security Manual \n( https://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf )\n to use network and software firewalls to block all network ports except\n the ones that are needed. Beckhoff also recommends that default \npasswords be changed during commissioning before connecting systems to \nthe network.\n\n\nIn their advisories (Advisory 2014-001: Potential \nmisuse of several administrative services, \n https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf . Advisory 2014-002: ADS communication port allows password bruteforce, \n https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf . Advisory2014-003: Recommendation to change default passwords, \n https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf \u00a0which were published November \n17, 2014) for these issues, Beckhoff also recommends the following \nmitigation solutions:\n\n\n\n  *  Update images to build October 22, 2014, or newer, which solve these problems by disabling the services by default.\n\n  *  Disable the Windows CE Remote Configuration Tool by deleting the \nsubtree \u201c/remoteadmin.\u201d The configuration of the web server paths can be\n found in the Windows registry at the path \n\u201cHKEY_LOCAL_MACHINE\\COMM\\HTTPD\\VROOTS\\.\u201d\n\n  *  Disable startup of CE Remote Display service (cerdisp.exe) with \ndeleting the registry key containing the \u201cCeRDisp.exe\u201d \n[-HKEY_LOCAL_MACHINE\\init\\Launch90].\n\n  *  Disable telnet by setting the registry key [HKEY_LOCAL_MACHINE\\Services\\TELNETD\\Flags] to dword: 4\n\n  *  Restrict ADS communication to trusted networks only."
        }
      ],
      "source": {
        "advisory": "ICSA-16-278-02",
        "discovery": "EXTERNAL"
      },
      "title": "Beckhoff Embedded PC Images and TwinCAT Components Improper Restriction of Excessive Authentication Attempts",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-5414",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Beckhoff Embedded PC images before 2014-10-22 and Automation Device Specification (ADS) TwinCAT components do not restrict the number of authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force attack."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "93349",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93349"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-278-02"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-5414",
    "datePublished": "2016-10-05T10:00:00.000Z",
    "dateReserved": "2014-08-22T00:00:00.000Z",
    "dateUpdated": "2025-11-04T23:09:34.639Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-225P-WQPV-W4VG

Vulnerability from github – Published: 2025-05-02 06:31 – Updated: 2025-05-02 06:31
VLAI
Details

Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T04:15:55Z",
    "severity": "CRITICAL"
  },
  "details": "Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.",
  "id": "GHSA-225p-wqpv-w4vg",
  "modified": "2025-05-02T06:31:24Z",
  "published": "2025-05-02T06:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3709"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/en/cp-139-10090-112f7-2.html"
    },
    {
      "type": "WEB",
      "url": "https://www.twcert.org.tw/tw/cp-132-10091-12462-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-22JV-36FH-M28X

Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30
VLAI
Details

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its Client Communication component. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T12:15:19Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.2 SP1). The affected application does not properly implement brute force protection against user credentials in its Client Communication component. This could allow an attacker to learn user credentials that are vulnerable to brute force attacks.",
  "id": "GHSA-22jv-36fh-m28x",
  "modified": "2024-07-09T12:30:58Z",
  "published": "2024-07-09T12:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39874"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-381581.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-22PF-6RH7-89GJ

Vulnerability from github – Published: 2024-11-26 15:31 – Updated: 2024-11-26 15:31
VLAI
Details

A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the equipment login. Note that the system supports only one concurrent session and implements a delay of more than a second between failed login attempts making it difficult to automate the attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-26T14:15:22Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could\ncause account takeover and unauthorized access to the system\nwhen an attacker conducts brute-force attacks against the\nequipment login. Note that the system supports only one concurrent session and implements a delay of more than a second\nbetween failed login attempts making it difficult to automate the\nattacks.",
  "id": "GHSA-22pf-6rh7-89gj",
  "modified": "2024-11-26T15:31:03Z",
  "published": "2024-11-26T15:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9928"
    },
    {
      "type": "WEB",
      "url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000173\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23WC-J7FG-6XP5

Vulnerability from github – Published: 2023-11-06 06:30 – Updated: 2023-11-06 06:30
VLAI
Details

Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-06T05:15:15Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login.",
  "id": "GHSA-23wc-j7fg-6xp5",
  "modified": "2023-11-06T06:30:26Z",
  "published": "2023-11-06T06:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4625"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/vu/JVNVU94620134"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02"
    },
    {
      "type": "WEB",
      "url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-014_en.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-245G-9F78-5JXC

Vulnerability from github – Published: 2023-08-24 18:30 – Updated: 2024-04-04 07:10
VLAI
Details

There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-24T17:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login.",
  "id": "GHSA-245g-9f78-5jxc",
  "modified": "2024-04-04T07:10:46Z",
  "published": "2023-08-24T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40706"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24WR-GX4F-PWRH

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12
VLAI
Details

VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may not be practical based on lockout policy configuration and password complexity for the target account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-31T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may not be practical based on lockout policy configuration and password complexity for the target account.",
  "id": "GHSA-24wr-gx4f-pwrh",
  "modified": "2022-05-24T19:12:51Z",
  "published": "2022-05-24T19:12:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22003"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2021-0016.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-26WW-2C8F-2RGH

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive NVMe password attempt mitigations in order to carry out a brute force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-28T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive NVMe password attempt mitigations in order to carry out a brute force attack.",
  "id": "GHSA-26ww-2c8f-2rgh",
  "modified": "2022-05-24T19:15:56Z",
  "published": "2022-05-24T19:15:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36285"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/000191495"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-27MC-9399-R9MX

Vulnerability from github – Published: 2025-10-30 00:31 – Updated: 2025-10-30 17:05
VLAI
Summary
Drupal Access code allows Brute Force Attempts
Details

Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: from 0.0.0 before 2.0.5.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "drupal/access_code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-10928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-30T17:05:05Z",
    "nvd_published_at": "2025-10-30T00:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: from 0.0.0 before 2.0.5.",
  "id": "GHSA-27mc-9399-r9mx",
  "modified": "2025-10-30T17:05:06Z",
  "published": "2025-10-30T00:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10928"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2025-108"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Drupal Access code allows Brute Force Attempts"
}

GHSA-27X5-H3JG-F385

Vulnerability from github – Published: 2024-06-24 15:31 – Updated: 2026-06-03 15:30
VLAI
Details

Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation.This issue affects Mia-Med Health Aplication: before 1.0.14.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-24T13:15:12Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation.This issue affects Mia-Med Health Aplication: before 1.0.14.",
  "id": "GHSA-27x5-h3jg-f385",
  "modified": "2026-06-03T15:30:33Z",
  "published": "2024-06-24T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5862"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-0765"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-24-0765"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.