CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
900 vulnerabilities reference this CWE, most recent first.
GHSA-VHRG-9CJQ-6J3H
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.
{
"affected": [],
"aliases": [
"CVE-2020-5141"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-12T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability in SonicOS allows a remote unauthenticated attacker to brute force Virtual Assist ticket ID in the firewall SSLVPN service. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version SonicOS 7.0.0.0.",
"id": "GHSA-vhrg-9cjq-6j3h",
"modified": "2022-05-24T17:30:32Z",
"published": "2022-05-24T17:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5141"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0016"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VM2G-HVC6-GM5M
Vulnerability from github – Published: 2025-06-09 06:30 – Updated: 2025-06-09 06:30A vulnerability was found in Tenda TDSEE App up to 1.7.12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /app/ConfirmSmsCode of the component Password Reset Confirmation Code Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.15 is able to address this issue. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2025-5864"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T06:15:26Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Tenda TDSEE App up to 1.7.12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /app/ConfirmSmsCode of the component Password Reset Confirmation Code Handler. The manipulation leads to improper restriction of excessive authentication attempts. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.15 is able to address this issue. It is recommended to upgrade the affected component.",
"id": "GHSA-vm2g-hvc6-gm5m",
"modified": "2025-06-09T06:30:23Z",
"published": "2025-06-09T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5864"
},
{
"type": "WEB",
"url": "https://blog.kevgen.ru/posts/account_takeover_in_tdsee_app"
},
{
"type": "WEB",
"url": "https://github.com/k3vg3n/researches/blob/main/Account_takeover_in_TDSEE_app.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.311623"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.311623"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.592074"
},
{
"type": "WEB",
"url": "https://www.tenda.com.cn"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-VM4W-8V23-V75W
Vulnerability from github – Published: 2022-10-13 12:00 – Updated: 2022-10-15 12:01Dell EMC XtremIO versions prior to X2 6.4.0-22 contain a bruteforce vulnerability. A remote unauthenticated attacker can potentially exploit this vulnerability and gain access to an admin account.
{
"affected": [],
"aliases": [
"CVE-2022-31228"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-12T20:15:00Z",
"severity": "CRITICAL"
},
"details": "Dell EMC XtremIO versions prior to X2 6.4.0-22 contain a bruteforce vulnerability. A remote unauthenticated attacker can potentially exploit this vulnerability and gain access to an admin account.",
"id": "GHSA-vm4w-8v23-v75w",
"modified": "2022-10-15T12:01:02Z",
"published": "2022-10-13T12:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31228"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000204112/dsa-2022-145-dell-emc-xtremeio-for-ssh-and-web-ui-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VMFM-CH9H-5C7G
Vulnerability from github – Published: 2026-05-04 20:52 – Updated: 2026-05-13 13:41Summary
The HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting.
An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds).
Details
Vulnerable code: src/interfaces/ws.ts, function processLoginRequest (lines 753-780)
The function directly calls app.securityStrategy.login(msg.login.username, msg.login.password) with no throttling or attempt tracking.
Rate-limited HTTP path for comparison: src/tokensecurity.ts lines 609-617 apply loginLimiter middleware to the HTTP login routes at line 637.
Steps to Reproduce
- Start Signal K server with security enabled
- Open a WebSocket connection to
ws://server:3000/signalk/v1/stream?subscribe=none - Wait for the hello message
- Send login attempts in rapid succession:
json {"requestId": "1", "login": {"username": "admin", "password": "guess1"}} {"requestId": "2", "login": {"username": "admin", "password": "guess2"}} - Observe that all attempts are processed without any 429 response or throttling
- For comparison, send 100+ HTTP POST requests to
/signalk/v1/auth/login— the 101st returns 429
A POC script is available that demonstrates both the HTTP rate limiting working correctly and the WebSocket path accepting unlimited attempts.
Impact
- Credential brute-forcing via the WebSocket protocol at ~20 attempts/sec (bcrypt-limited)
- Complete bypass of the HTTP rate limiting defense
- A single WebSocket connection is sufficient for unlimited attempts
- With multiple parallel connections, throughput multiplies
- A 10,000-word dictionary attack completes in ~8 minutes over a single connection
Signal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN.
CWE
CWE-307: Improper Restriction of Excessive Authentication Attempts
Suggested Fix
Track failed login attempts per remote IP in a shared store (or reuse the existing express-rate-limit store) that is checked in both the HTTP login middleware and the processLoginRequest WebSocket handler.
Context
Found while building an open source maritime security scanner. Verified on v2.24.0 (current master).
Discovered by Mark Curphey
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.24.0"
},
"package": {
"ecosystem": "npm",
"name": "signalk-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41893"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T20:52:06Z",
"nvd_published_at": "2026-05-09T20:16:27Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe HTTP login endpoints (`POST /login` and `POST /signalk/v1/auth/login`) are protected by `express-rate-limit` (default: 100 attempts per 10-minute window, configurable via `HTTP_RATE_LIMITS`). The WebSocket login path \u2014 sending `{login: {username, password}}` messages over an established WebSocket connection \u2014 calls `app.securityStrategy.login()` directly without any rate limiting.\n\nAn attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds).\n\n## Details\n\n**Vulnerable code:** `src/interfaces/ws.ts`, function `processLoginRequest` (lines 753-780)\n\nThe function directly calls `app.securityStrategy.login(msg.login.username, msg.login.password)` with no throttling or attempt tracking.\n\n**Rate-limited HTTP path for comparison:** `src/tokensecurity.ts` lines 609-617 apply `loginLimiter` middleware to the HTTP login routes at line 637.\n\n## Steps to Reproduce\n\n1. Start Signal K server with security enabled\n2. Open a WebSocket connection to `ws://server:3000/signalk/v1/stream?subscribe=none`\n3. Wait for the hello message\n4. Send login attempts in rapid succession:\n ```json\n {\"requestId\": \"1\", \"login\": {\"username\": \"admin\", \"password\": \"guess1\"}}\n {\"requestId\": \"2\", \"login\": {\"username\": \"admin\", \"password\": \"guess2\"}}\n ```\n5. Observe that all attempts are processed without any 429 response or throttling\n6. For comparison, send 100+ HTTP POST requests to `/signalk/v1/auth/login` \u2014 the 101st returns 429\n\nA POC script is available that demonstrates both the HTTP rate limiting working correctly and the WebSocket path accepting unlimited attempts.\n\n## Impact\n\n- Credential brute-forcing via the WebSocket protocol at ~20 attempts/sec (bcrypt-limited)\n- Complete bypass of the HTTP rate limiting defense\n- A single WebSocket connection is sufficient for unlimited attempts\n- With multiple parallel connections, throughput multiplies\n- A 10,000-word dictionary attack completes in ~8 minutes over a single connection\n\nSignal K servers are commonly deployed on boat networks where they may be accessible to other devices on the same LAN.\n\n## CWE\n\nCWE-307: Improper Restriction of Excessive Authentication Attempts\n\n## Suggested Fix\n\nTrack failed login attempts per remote IP in a shared store (or reuse the existing express-rate-limit store) that is checked in both the HTTP login middleware and the processLoginRequest WebSocket handler.\n\n## Context\n\nFound while building an open source maritime security scanner. Verified on v2.24.0 (current master).\n\nDiscovered by Mark Curphey",
"id": "GHSA-vmfm-ch9h-5c7g",
"modified": "2026-05-13T13:41:34Z",
"published": "2026-05-04T20:52:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41893"
},
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/pull/2568"
},
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d"
},
{
"type": "PACKAGE",
"url": "https://github.com/SignalK/signalk-server"
},
{
"type": "WEB",
"url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Signal K Server\u0027s WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)"
}
GHSA-VP33-G4HG-RCWQ
Vulnerability from github – Published: 2024-09-11 12:30 – Updated: 2024-09-11 12:30An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.
{
"affected": [],
"aliases": [
"CVE-2024-45327"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-11T10:15:02Z",
"severity": "HIGH"
},
"details": "An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform a brute force attack on users and administrators password via crafted HTTP requests.",
"id": "GHSA-vp33-g4hg-rcwq",
"modified": "2024-09-11T12:30:51Z",
"published": "2024-09-11T12:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45327"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-048"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VQ9X-W82R-RHMC
Vulnerability from github – Published: 2025-08-13 15:30 – Updated: 2025-08-20 15:54Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can repeatedly submit login attempts without restrictions, potentially gaining unauthorized administrative access. This vulnerability corresponds to CWE-307: Improper Restriction of Excessive Authentication Attempts.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "soosyze/soosyze"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52392"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-13T23:13:41Z",
"nvd_published_at": "2025-08-13T14:15:31Z",
"severity": "HIGH"
},
"details": "Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can repeatedly submit login attempts without restrictions, potentially gaining unauthorized administrative access. This vulnerability corresponds to CWE-307: Improper Restriction of Excessive Authentication Attempts.",
"id": "GHSA-vq9x-w82r-rhmc",
"modified": "2025-08-20T15:54:59Z",
"published": "2025-08-13T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52392"
},
{
"type": "WEB",
"url": "https://github.com/soosyze/soosyze/issues/269"
},
{
"type": "WEB",
"url": "https://beafn28.gitbook.io/beafn28/cve/brute-force-login-vulnerability-in-soosyze-cms-2.0-cve-2025-52392"
},
{
"type": "PACKAGE",
"url": "https://github.com/soosyze/soosyze"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/52416"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Soosyze CMS\u0027s /user/login endpoint missing rate-limiting and lockout mechanisms"
}
GHSA-VQPR-CWPG-2999
Vulnerability from github – Published: 2022-12-26 06:30 – Updated: 2023-01-05 18:30Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack. An error caused base64 to be decoded.
{
"affected": [],
"aliases": [
"CVE-2022-26964"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-26T06:15:00Z",
"severity": "HIGH"
},
"details": "Weak password derivation for export in Devolutions Remote Desktop Manager before 2022.1 allows information disclosure via a password brute-force attack. An error caused base64 to be decoded.",
"id": "GHSA-vqpr-cwpg-2999",
"modified": "2023-01-05T18:30:29Z",
"published": "2022-12-26T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26964"
},
{
"type": "WEB",
"url": "https://devolutions.net/security/advisories/DEVO-2022-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VV3H-7QWR-722V
Vulnerability from github – Published: 2026-03-11 15:33 – Updated: 2026-03-24 21:11Impact
The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code.
Affected components: - Anytype Desktop (all platforms) ≤ v0.48.2 - Anytype-CLI (headless deployments) ≤ v0.1.9
Not affected: - Anytype mobile apps (iOS, Android) - do not expose a local gRPC server
Who is impacted: This vulnerability is scoped to localhost. The gRPC and gRPC-Web ports bind to 127.0.0.1 only and are not exposed to the local network or internet.
Exploitation requires:
- Local user-level access to the machine running Anytype
- Discovery of the randomized listening port
- A running Anytype instance
Anytype-CLI headless deployments may be at higher risk only if an administrator has chosen to set up their own reverse proxy and configured it in a way that exposes gRPC or gRPC-Web ports to an external network. By default, these ports are not externally accessible and there is no built-in mechanism to expose them.
Patches
- anytype-heart library: v0.48.4
- Anytype Desktop: v0.54.5
- Anytype-CLI: v0.1.11
Workarounds
- Desktop users: No immediate action required. The vulnerability requires existing local access to the machine.
- Anytype-CLI administrators: If using a custom reverse proxy, ensure it does not expose gRPC or gRPC-Web ports to external networks.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/anyproto/anytype-heart"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.48.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/anyproto/anytype-cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-31863"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-11T15:33:29Z",
"nvd_published_at": "2026-03-11T18:16:25Z",
"severity": "LOW"
},
"details": "#### Impact\nThe challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code.\n\nAffected components:\n- Anytype Desktop (all platforms) \u2264 v0.48.2\n- Anytype-CLI (headless deployments) \u2264 v0.1.9\n\nNot affected:\n- Anytype mobile apps (iOS, Android) - do not expose a local gRPC server\n\nWho is impacted:\nThis vulnerability is scoped to localhost. The gRPC and gRPC-Web ports bind to 127.0.0.1 only and are not exposed to the local network or internet.\n\n### Exploitation requires:\n- Local user-level access to the machine running Anytype\n- Discovery of the randomized listening port\n- A running Anytype instance\n\nAnytype-CLI headless deployments may be at higher risk only if an administrator has chosen to set up their own reverse proxy and configured it in a way that\nexposes gRPC or gRPC-Web ports to an external network. **By default, these ports are not externally accessible and there is no built-in mechanism to expose them.**\n\n#### Patches\n- anytype-heart library: v0.48.4\n- [Anytype Desktop](https://github.com/anyproto/anytype-ts): v0.54.5\n- [Anytype-CLI](https://github.com/anyproto/anytype-cli): v0.1.11\n\n#### Workarounds\n- Desktop users: No immediate action required. The vulnerability requires existing local access to the machine.\n- Anytype-CLI administrators: If using a custom reverse proxy, ensure it does not expose gRPC or gRPC-Web ports to external networks.",
"id": "GHSA-vv3h-7qwr-722v",
"modified": "2026-03-24T21:11:53Z",
"published": "2026-03-11T15:33:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/anyproto/anytype-heart/security/advisories/GHSA-vv3h-7qwr-722v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31863"
},
{
"type": "WEB",
"url": "https://github.com/anyproto/anytype-cli"
},
{
"type": "PACKAGE",
"url": "https://github.com/anyproto/anytype-heart"
},
{
"type": "WEB",
"url": "https://github.com/anyproto/anytype-ts"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2026-4680"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Anytype Heart\u0027s gRPC API client challenge verification can be bypassed on localhost"
}
GHSA-VVGV-54PP-4XR8
Vulnerability from github – Published: 2023-07-07 00:30 – Updated: 2024-04-04 05:50The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication.
{
"affected": [],
"aliases": [
"CVE-2023-33868"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T23:15:09Z",
"severity": "CRITICAL"
},
"details": "\n\n\nThe number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication.\n\n\n\n",
"id": "GHSA-vvgv-54pp-4xr8",
"modified": "2024-04-04T05:50:06Z",
"published": "2023-07-07T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33868"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-187-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVXM-2VXQ-RHGQ
Vulnerability from github – Published: 2024-09-18 12:31 – Updated: 2026-06-03 15:30Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System allows Interface Manipulation.This issue affects Yordam Library Automation System: before 20.1.
{
"affected": [],
"aliases": [
"CVE-2024-5682"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T12:15:03Z",
"severity": "MODERATE"
},
"details": "Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System allows Interface Manipulation.This issue affects Yordam Library Automation System: before 20.1.",
"id": "GHSA-vvxm-2vxq-rhgq",
"modified": "2026-06-03T15:30:34Z",
"published": "2024-09-18T12:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5682"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-24-1496"
},
{
"type": "WEB",
"url": "https://www.usom.gov.tr/bildirim/tr-24-1496"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.