Total
372 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-42818 | 1 Fit2cloud | 1 Jumpserver | 2024-08-02 | 5.4 Medium |
| JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication against the SSH service This issue has been patched in versions 3.6.5 and 3.5.6. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2023-42769 | 1 Sielco | 30 Analog Fm Transmitter Exc1000gt, Analog Fm Transmitter Exc1000gt Firmware, Analog Fm Transmitter Exc1000gx and 27 more | 2024-08-02 | 9.8 Critical |
| The cookie session ID is of insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication, and manipulate the transmitter. | ||||
| CVE-2023-40834 | 1 Opencart | 1 Opencart | 2024-08-02 | 9.8 Critical |
| OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing unauthenticated attackers to gain access to the application via a brute force attack to the password parameter. | ||||
| CVE-2023-40706 | 1 Opto22 | 2 Snap Pac S1, Snap Pac S1 Firmware | 2024-08-02 | 8.6 High |
| There is no limit on the number of login attempts in the web server for the SNAP PAC S1 Firmware version R10.3b. This could allow for a brute-force attack on the built-in web server login. | ||||
| CVE-2023-39958 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-02 | 5.8 Medium |
| Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. | ||||
| CVE-2023-38273 | 1 Ibm | 1 Cloud Pak System | 2024-08-02 | 7.5 High |
| IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 260733. | ||||
| CVE-2023-36917 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-08-02 | 5.9 Medium |
| SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account. | ||||
| CVE-2023-36434 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2024-08-02 | 9.8 Critical |
| Windows IIS Server Elevation of Privilege Vulnerability | ||||
| CVE-2023-35697 | 1 Sick | 2 Icr890-4, Icr890-4 Firmware | 2024-08-02 | 5.3 Medium |
| Improper Restriction of Excessive Authentication Attempts in the SICK ICR890-4 could allow a remote attacker to brute-force user credentials. | ||||
| CVE-2023-35172 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-02 | 8.7 High |
| NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available. | ||||
| CVE-2023-35039 | 1 Bedevious | 1 Password Reset With Code For Wordpress Rest Api | 2024-08-02 | 9.8 Critical |
| Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15. | ||||
| CVE-2023-34243 | 1 Tgstation13 | 1 Tgstation-server | 2024-08-02 | 5.8 Medium |
| TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server (TGS), an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct response would be generated. This issue has been addressed in version 5.12.5. Users are advised to upgrade. Users unable to upgrade may be mitigated by rate-limiting API calls with software that sits in front of TGS in the HTTP pipeline such as fail2ban. | ||||
| CVE-2023-34001 | 2024-08-02 | 5.3 Medium | ||
| Improper Restriction of Excessive Authentication Attempts vulnerability in WPPlugins – WordPress Security Plugins Hide My WP Ghost allows Functionality Bypass.This issue affects Hide My WP Ghost: from n/a through 5.0.25. | ||||
| CVE-2023-33868 | 1 Piigab | 2 M-bus 900s, M-bus 900s Firmware | 2024-08-02 | 5.9 Medium |
| The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication. | ||||
| CVE-2023-33759 | 1 Splicecom | 1 Maximiser Soft Pbx | 2024-08-02 | 9.8 Critical |
| SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack. | ||||
| CVE-2023-33754 | 1 Inpiazza | 1 Cloud Wifi | 2024-08-02 | 6.5 Medium |
| The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials. | ||||
| CVE-2023-32657 | 1 Weintek | 1 Weincloud | 2024-08-02 | 5.3 Medium |
| Weintek Weincloud v0.13.6 could allow an attacker to efficiently develop a brute force attack on credentials with authentication hints from error message responses. | ||||
| CVE-2023-32319 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-02 | 8.1 High |
| Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-32320 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-02 | 8.7 High |
| Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue. | ||||
| CVE-2023-32224 | 1 Dlink | 2 Dsl-224, Dsl-224 Firmware | 2024-08-02 | 9.8 Critical |
| D-Link DSL-224 firmware version 3.0.10 CWE-307: Improper Restriction of Excessive Authentication Attempts | ||||