CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-8889-9G3F-73RJ
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2023-09-26 19:49Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-18986"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-18T22:09:22Z",
"nvd_published_at": "2019-11-15T05:15:00Z",
"severity": "HIGH"
},
"details": "Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the \u0027forgot password\u0027 functionality as it returns distinct messages for invalid password and non-existing users.",
"id": "GHSA-8889-9g3f-73rj",
"modified": "2023-09-26T19:49:07Z",
"published": "2022-05-24T17:01:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18986"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/4a7bba5c3f818852cbbd29fa124f7fb09a207185"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pimcore Discloses Usernames In Use"
}
GHSA-88MR-9R66-X2C9
Vulnerability from github – Published: 2025-03-19 15:31 – Updated: 2025-03-19 15:31HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.
{
"affected": [],
"aliases": [
"CVE-2024-42176"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-19T15:15:49Z",
"severity": "LOW"
},
"details": "HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user\u0027s account or sensitive information.",
"id": "GHSA-88mr-9r66-x2c9",
"modified": "2025-03-19T15:31:45Z",
"published": "2025-03-19T15:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42176"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0119919"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-88VC-RC72-29F3
Vulnerability from github – Published: 2026-07-11 00:31 – Updated: 2026-07-11 00:31Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.
{
"affected": [],
"aliases": [
"CVE-2026-42952"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T23:16:48Z",
"severity": "HIGH"
},
"details": "Previously, there was no throttling on repeated authentication attempts \nto the charging station backend, which could allow an attacker to \nexecute a denial-of-service attack.",
"id": "GHSA-88vc-rc72-29f3",
"modified": "2026-07-11T00:31:50Z",
"published": "2026-07-11T00:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42952"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-188-01.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
},
{
"type": "WEB",
"url": "https://www.hydroquebec.com/nous-joindre"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-89MJ-Q662-X3R3
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:36An improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.
{
"affected": [],
"aliases": [
"CVE-2022-43947"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-11T17:15:00Z",
"severity": "HIGH"
},
"details": "An\u00a0improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.",
"id": "GHSA-89mj-q662-x3r3",
"modified": "2024-04-04T05:36:00Z",
"published": "2023-07-06T19:24:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43947"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-444"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8FC2-FHH6-F6M5
Vulnerability from github – Published: 2025-02-13 00:33 – Updated: 2025-02-24 19:03An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "alextselegidis/easyappointments"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-57602"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-24T19:03:38Z",
"nvd_published_at": "2025-02-12T22:15:40Z",
"severity": "CRITICAL"
},
"details": "An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.",
"id": "GHSA-8fc2-fhh6-f6m5",
"modified": "2025-02-24T19:03:38Z",
"published": "2025-02-13T00:33:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57602"
},
{
"type": "PACKAGE",
"url": "https://github.com/alextselegidis/easyappointments"
},
{
"type": "WEB",
"url": "https://hkohi.ca/vulnerability/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Easy!Appointments Improper Restriction of Excessive Authentication Attempts "
}
GHSA-8GV5-GQXV-V6MQ
Vulnerability from github – Published: 2026-03-21 00:31 – Updated: 2026-03-21 00:31The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2026-31904"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T23:16:44Z",
"severity": "HIGH"
},
"details": "The WebSocket Application Programming Interface lacks restrictions on the number of\u00a0authentication requests. This absence of rate limiting may allow an attacker to conduct\u00a0denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.",
"id": "GHSA-8gv5-gqxv-v6mq",
"modified": "2026-03-21T00:31:43Z",
"published": "2026-03-21T00:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31904"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-078-06.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-078-06"
},
{
"type": "WEB",
"url": "https://www.ctek.com/support"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8HG6-3X59-7XJR
Vulnerability from github – Published: 2022-02-10 00:00 – Updated: 2022-04-13 00:01A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions < V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions), SIMATIC WinCC V16 (All versions < V16 Update 5), SIMATIC WinCC V17 (All versions < V17 Update 2), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions < V7.5 SP2 Update 6). The password hash of a local user account in the remote server could be granted via public API to a user on the affected system. An authenticated attacker could brute force the password hash and use it to login to the server.
{
"affected": [],
"aliases": [
"CVE-2021-40360"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-307",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-09T16:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SIMATIC PCS 7 V8.2 and earlier (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions \u003c V9.1 SP1), SIMATIC WinCC V15 and earlier (All versions), SIMATIC WinCC V16 (All versions \u003c V16 Update 5), SIMATIC WinCC V17 (All versions \u003c V17 Update 2), SIMATIC WinCC V7.4 and earlier (All versions), SIMATIC WinCC V7.5 (All versions \u003c V7.5 SP2 Update 6). The password hash of a local user account in the remote server could be granted via public API to a user on the affected system. An authenticated attacker could brute force the password hash and use it to login to the server.",
"id": "GHSA-8hg6-3x59-7xjr",
"modified": "2022-04-13T00:01:10Z",
"published": "2022-02-10T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40360"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8HM3-X962-R5C7
Vulnerability from github – Published: 2024-10-24 21:31 – Updated: 2024-10-25 21:31A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders.
{
"affected": [],
"aliases": [
"CVE-2024-48143"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-24T19:15:15Z",
"severity": "CRITICAL"
},
"details": "A lack of rate limiting in the OTP validation component of Digitory Multi Channel Integrated POS v1.0 allows attackers to gain access to the ordering system and place an excessive amount of food orders.",
"id": "GHSA-8hm3-x962-r5c7",
"modified": "2024-10-25T21:31:27Z",
"published": "2024-10-24T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48143"
},
{
"type": "WEB",
"url": "https://digitory.com/multi-channel-integrated-pos"
},
{
"type": "WEB",
"url": "https://github.com/soursec/CVEs/tree/main/CVE-2024-48143"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8HW3-GHWV-CRFH
Vulnerability from github – Published: 2025-10-30 00:31 – Updated: 2025-10-30 17:07Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.0-ga1"
},
{
"fixed": "7.4.3.120"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62257"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-30T17:07:12Z",
"nvd_published_at": "2025-10-30T00:15:34Z",
"severity": "MODERATE"
},
"details": "Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user\u2019s password even if account lockout is enabled via brute force attack.",
"id": "GHSA-8hw3-ghwv-crfh",
"modified": "2025-10-30T17:07:13Z",
"published": "2025-10-30T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62257"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/45cffd5030ab78e8b005d9cfd6284311da978c68"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/924a0a47007665693fe2d29623cb48a426a80266"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/d21627ac07561c5063f611be631e63ff502ec8e7"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-17692"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62257"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Liferay Portal vulnerable to password enumeration"
}
GHSA-8M4G-7Q24-6QWQ
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2024-03-21 03:34** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords, and eventually gain access to a targeted account, NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2021-28248"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-26T08:15:00Z",
"severity": "HIGH"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords, and eventually gain access to a targeted account, NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-8m4g-7q24-6qwq",
"modified": "2024-03-21T03:34:03Z",
"published": "2022-05-24T17:45:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28248"
},
{
"type": "WEB",
"url": "https://n4nj0.github.io/advisories/ca-ehealth-performance-manager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.