Total
372 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-41435 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2024-08-04 | 9.8 Critical |
A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request. | ||||
CVE-2021-41171 | 1 Elabftw | 1 Elabftw | 2024-08-04 | 5.9 Medium |
eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading. | ||||
CVE-2021-38725 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-08-04 | 5.3 Medium |
Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php | ||||
CVE-2021-38155 | 1 Openstack | 1 Keystone | 2024-08-04 | 7.5 High |
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. | ||||
CVE-2021-37934 | 1 Huntflow | 1 Huntflow Enterprise | 2024-08-04 | 9.8 Critical |
Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. | ||||
CVE-2021-36750 | 2 Sandisk, Zendesk | 3 Secureaccess, Enc Datavault, Enc Vaultapi | 2024-08-04 | 8.1 High |
ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names). | ||||
CVE-2021-35472 | 2 Debian, Lemonldap-ng | 2 Debian Linux, Lemonldap\ | 2024-08-04 | 8.8 High |
An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker might alternately be authenticated as one of two different users. | ||||
CVE-2021-33209 | 1 Fimer | 1 Aurora Vision | 2024-08-03 | 5.3 Medium |
An issue was discovered in Fimer Aurora Vision before 2.97.10. The response to a failed login attempt discloses whether the username or password is wrong, helping an attacker to enumerate usernames. This can make a brute-force attack easier. | ||||
CVE-2021-33190 | 1 Apache | 1 Apisix Dashboard | 2024-08-03 | 5.3 Medium |
In Apache APISIX Dashboard version 2.6, we changed the default value of listen host to 0.0.0.0 in order to facilitate users to configure external network access. In the IP allowed list restriction, a risky function was used for the IP acquisition, which made it possible to bypass the network limit. At the same time, the default account and password are fixed.Ultimately these factors lead to the issue of security risks. This issue is fixed in APISIX Dashboard 2.6.1 | ||||
CVE-2021-32703 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2024-08-03 | 5.3 Medium |
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. | ||||
CVE-2021-32678 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2024-08-03 | 3.7 Low |
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist. | ||||
CVE-2021-32705 | 2 Fedoraproject, Nextcloud | 2 Fedora, Nextcloud Server | 2024-08-03 | 5.3 Medium |
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. | ||||
CVE-2021-31646 | 1 Gestsup | 1 Gestsup | 2024-08-03 | 9.8 Critical |
Gestsup before 3.2.10 allows account takeover through the password recovery functionality (remote). The affected component is the file forgot_pwd.php - it uses a weak algorithm for the generation of password recovery tokens (the PHP uniqueid function), allowing a brute force attack. | ||||
CVE-2021-29987 | 2 Linux, Mozilla | 3 Linux Kernel, Firefox, Thunderbird | 2024-08-03 | 6.5 Medium |
After requesting multiple permissions, and closing the first permission panel, subsequent permission panels will be displayed in a different position but still record a click in the default location, making it possible to trick a user into accepting a permission they did not want to. *This bug only affects Firefox on Linux. Other operating systems are unaffected.*. This vulnerability affects Firefox < 91 and Thunderbird < 91. | ||||
CVE-2021-28248 | 1 Broadcom | 1 Ehealth | 2024-08-03 | 7.5 High |
CA eHealth Performance Manager through 6.3.2.12 is affected by Improper Restriction of Excessive Authentication Attempts. An attacker is able to perform an arbitrary number of /web/frames/ authentication attempts using different passwords, and eventually gain access to a targeted account, NOTE: This vulnerability only affects products that are no longer supported by the maintainer | ||||
CVE-2021-29648 | 2 Fedoraproject, Linux | 2 Fedora, Linux Kernel | 2024-08-03 | 5.5 Medium |
An issue was discovered in the Linux kernel before 5.11.11. The BPF subsystem does not properly consider that resolved_ids and resolved_sizes are intentionally uninitialized in the vmlinux BPF Type Format (BTF), which can cause a system crash upon an unexpected access attempt (in map_create in kernel/bpf/syscall.c or check_btf_info in kernel/bpf/verifier.c), aka CID-350a5c4dd245. | ||||
CVE-2021-29023 | 1 Invoiceplane | 1 Invoiceplane | 2024-08-03 | 5.3 Medium |
InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable. | ||||
CVE-2021-28911 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2024-08-03 | 9.8 Critical |
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers access to /tmp path which contains some sensitive data (e.g. device serial number). Having those info, a possible loginId can be self-calculated in a brute force attack against BMX interface. This is usable and part of an attack chain to gain SSH root access. | ||||
CVE-2021-28909 | 1 Bab-technologie | 2 Eibport, Eibport Firmware | 2024-08-03 | 9.8 Critical |
BAB TECHNOLOGIE GmbH eibPort V3 prior version 3.9.1 allow unauthenticated attackers to access uncontrolled the login service at /webif/SecurityModule in a brute force attack. The password could be weak and default username is known as 'admin'. This is usable and part of an attack chain to gain SSH root access. | ||||
CVE-2021-28127 | 1 Stormshield | 1 Stormshield Network Security | 2024-08-03 | 7.5 High |
An issue was discovered in Stormshield SNS through 4.2.1. A brute-force attack can occur. |