CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
900 vulnerabilities reference this CWE, most recent first.
GHSA-H2WF-696M-6FJ8
Vulnerability from github – Published: 2024-11-15 12:31 – Updated: 2024-11-15 12:31phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. The issue lies in the 'get_user_ip()' function in 'class.Common.php' at lines 1044 and 1045, where the presence of the 'X-Forwarded-For' header is checked and used instead of 'REMOTE_ADDR'. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.
{
"affected": [],
"aliases": [
"CVE-2024-0787"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-15T11:15:09Z",
"severity": "MODERATE"
},
"details": "phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the \u0027X-Forwarded-For\u0027 header. The issue lies in the \u0027get_user_ip()\u0027 function in \u0027class.Common.php\u0027 at lines 1044 and 1045, where the presence of the \u0027X-Forwarded-For\u0027 header is checked and used instead of \u0027REMOTE_ADDR\u0027. This vulnerability allows attackers to perform brute force attacks on user accounts, including the admin account. The issue is fixed in version 1.7.0.",
"id": "GHSA-h2wf-696m-6fj8",
"modified": "2024-11-15T12:31:45Z",
"published": "2024-11-15T12:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0787"
},
{
"type": "WEB",
"url": "https://github.com/phpipam/phpipam/commit/55c2056068be9f1359e967fcff64db6b7f4d00b5"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/840cb582-1feb-43ab-9cc4-e4b5a63c5bab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-H596-VPGV-58R7
Vulnerability from github – Published: 2026-05-19 18:32 – Updated: 2026-05-19 21:32In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.
{
"affected": [],
"aliases": [
"CVE-2025-61081"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T18:16:19Z",
"severity": "HIGH"
},
"details": "In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs.",
"id": "GHSA-h596-vpgv-58r7",
"modified": "2026-05-19T21:32:03Z",
"published": "2026-05-19T18:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61081"
},
{
"type": "WEB",
"url": "https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link"
},
{
"type": "WEB",
"url": "https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5GM-X9WR-VHCM
Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15Summary
The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided.
Details
When an attacker submits coupon codes against the session-based cart (without passing a 'number' parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.
Vulnerable Code
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
An attacker can enumerate all coupon codes through automated requests.
Remediation Apply rate limiting unconditionally on actionUpdateCart regardless of whether 'number' is present.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.6.4"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.6.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.11.1"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/commerce"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.11.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55795"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:15:26Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe CartController defines a RateLimiter behavior that is only activated when the \u0027number\u0027 POST/GET parameter is explicitly provided.\n\n### Details\n\nWhen an attacker submits coupon codes against the session-based cart (without passing a \u0027number\u0027 parameter), no rate limiting is applied. This allows unlimited attempts to guess coupon codes.\n\n**Vulnerable Code**\n\u003cimg width=\"864\" height=\"90\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/a5197f10-f1fd-4331-93f9-9479d0ceebba\" /\u003e\n\n\u003cimg width=\"881\" height=\"272\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/d9db963f-5d1f-4b00-a4b4-5f2dfe2b71dd\" /\u003e\n\n\u003cimg width=\"861\" height=\"271\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/f7842493-3bc0-4e99-956c-7266bab15703\" /\u003e\n\n### PoC\nComplete instructions, including specific configuration details, to reproduce the vulnerability.\n\n\u003cimg width=\"909\" height=\"171\" alt=\"resim\" src=\"https://github.com/user-attachments/assets/cfc8c994-5e0c-48de-b728-464029beba0e\" /\u003e\n\n### Impact\nAn attacker can enumerate all coupon codes through automated requests.\n\n**Remediation**\nApply rate limiting unconditionally on actionUpdateCart regardless of whether \u0027number\u0027 is present.",
"id": "GHSA-h5gm-x9wr-vhcm",
"modified": "2026-06-19T21:15:26Z",
"published": "2026-06-19T21:15:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/security/advisories/GHSA-h5gm-x9wr-vhcm"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/commerce/commit/df22c4f9c4ea7fb7857d833f755e49ea6f9f5bb5"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/commerce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass"
}
GHSA-H5XX-JCPX-5HR9
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. This bug only affects Firefox on Linux. Other operating systems are unaffected.. This vulnerability affects Firefox < 91 and Thunderbird < 91.
{
"affected": [],
"aliases": [
"CVE-2021-29987"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-17T20:15:00Z",
"severity": "MODERATE"
},
"details": "After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 91 and Thunderbird \u003c 91.",
"id": "GHSA-h5xx-jcpx-5hr9",
"modified": "2022-05-24T19:11:21Z",
"published": "2022-05-24T19:11:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29987"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1716129"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202202-03"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H6R2-PGVX-683C
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2026-06-10 18:45Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component app/api/cms/user.py.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Lin-CMS"
},
"versions": [
"0.1.1"
]
}
],
"aliases": [
"CVE-2020-18698"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-01T16:45:58Z",
"nvd_published_at": "2021-08-16T18:15:00Z",
"severity": "CRITICAL"
},
"details": "Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the \u0027login\u0027 function in the component `app/api/cms/user.py`.",
"id": "GHSA-h6r2-pgvx-683c",
"modified": "2026-06-10T18:45:05Z",
"published": "2022-05-24T19:11:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18698"
},
{
"type": "WEB",
"url": "https://github.com/TaleLin/lin-cms-flask/issues/27"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/307.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/TaleLin/lin-cms-flask"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/lin-cms/PYSEC-2021-339.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Lin-CMS-Flask vulnerable to Improper Authentication"
}
GHSA-H7JX-W3WH-PW57
Vulnerability from github – Published: 2023-03-23 21:30 – Updated: 2023-03-30 18:30Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
{
"affected": [],
"aliases": [
"CVE-2022-36413"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-23T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.",
"id": "GHSA-h7jx-w3wh-pw57",
"modified": "2023-03-30T18:30:33Z",
"published": "2023-03-23T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36413"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2022-36413.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H7M5-VJWP-2JFX
Vulnerability from github – Published: 2025-10-27 15:30 – Updated: 2025-10-27 15:30Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.
{
"affected": [],
"aliases": [
"CVE-2025-26862"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-27T15:15:37Z",
"severity": "LOW"
},
"details": "Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.",
"id": "GHSA-h7m5-vjwp-2jfx",
"modified": "2025-10-27T15:30:42Z",
"published": "2025-10-27T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26862"
},
{
"type": "WEB",
"url": "https://support.pingidentity.com/s/article/PingFederate-unexpected-template-rendering-in-redirectless-mode"
},
{
"type": "WEB",
"url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:L/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-H94G-97QR-74VM
Vulnerability from github – Published: 2023-12-05 00:31 – Updated: 2024-08-01 15:31A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.
{
"affected": [],
"aliases": [
"CVE-2023-24051"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T23:15:23Z",
"severity": "CRITICAL"
},
"details": "A client side rate limit issue discovered in Connectize AC21000 G6 641.139.1.1256 allows attackers to gain escalated privileges via brute force style attacks.",
"id": "GHSA-h94g-97qr-74vm",
"modified": "2024-08-01T15:31:25Z",
"published": "2023-12-05T00:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24051"
},
{
"type": "WEB",
"url": "https://research.nccgroup.com/2023/10/19/technical-advisory-multiple-vulnerabilities-in-connectize-g6-ac2100-dual-band-gigabit-wifi-router-cve-2023-24046-cve-2023-24047-cve-2023-24048-cve-2023-24049-cve-2023-24050-cve-2023-24051-cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HC8R-P4JW-P6FR
Vulnerability from github – Published: 2026-06-22 15:30 – Updated: 2026-06-22 15:30AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.
The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.
{
"affected": [],
"aliases": [
"CVE-2026-56450"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T14:17:50Z",
"severity": "MODERATE"
},
"details": "AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access.\n\n\nThe patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts.",
"id": "GHSA-hc8r-p4jw-p6fr",
"modified": "2026-06-22T15:30:45Z",
"published": "2026-06-22T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56450"
},
{
"type": "WEB",
"url": "https://github.com/ail-project/ail-framework/commit/d3a394fe68fd5aeee86f3a3c91d4a0350f91e974"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HCHV-VV89-9PXP
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2022-10-19 19:00An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.
{
"affected": [],
"aliases": [
"CVE-2022-3031"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T16:15:00Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user\u0027s password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account.",
"id": "GHSA-hchv-vv89-9pxp",
"modified": "2022-10-19T19:00:22Z",
"published": "2022-10-17T19:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3031"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3031.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/340395"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.