Total
421 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-44033 | 1 Ionic | 1 Identity Vault | 2024-11-21 | 6.8 Medium |
| In Ionic Identity Vault before 5.0.5, the protection mechanism for invalid unlock attempts can be bypassed. | ||||
| CVE-2021-43958 | 1 Atlassian | 2 Crucible, Fisheye | 2024-11-21 | 9.8 Critical |
| Various rest resources in Fisheye and Crucible before version 4.8.9 allowed remote attackers to brute force user login credentials as rest resources did not check if users were beyond their max failed login limits and therefore required solving a CAPTCHA in addition to providing user credentials for authentication via a improper restriction of excess authentication attempts vulnerability. | ||||
| CVE-2021-43332 | 2 Debian, Gnu | 2 Debian Linux, Mailman | 2024-11-21 | 6.5 Medium |
| In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py admindb page contains an encrypted version of the list admin password. This could potentially be cracked by a moderator via an offline brute-force attack. | ||||
| CVE-2021-43298 | 1 Embedthis | 1 Goahead | 2024-11-21 | 9.8 Critical |
| The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until the unauthorized (401) response. | ||||
| CVE-2021-42544 | 1 Businessdnasolutions | 1 Topease | 2024-11-21 | 7.5 High |
| Missing Rate Limiting in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 on the Login Form allows an unauthenticated remote attacker to perform multiple login attempts, which facilitates gaining privileges. | ||||
| CVE-2021-42096 | 3 Debian, Gnu, Redhat | 4 Debian Linux, Mailman, Enterprise Linux and 1 more | 2024-11-21 | 4.3 Medium |
| GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password. | ||||
| CVE-2021-41807 | 1 M-files | 2 M-files Server, M-files Web | 2024-11-21 | 7.5 High |
| Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. | ||||
| CVE-2021-41435 | 1 Asus | 36 Gt-ax11000, Gt-ax11000 Firmware, Rt-ax3000 and 33 more | 2024-11-21 | 9.8 Critical |
| A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote attacker to attempt any number of login attempts via sending a specific HTTP request. | ||||
| CVE-2021-41171 | 1 Elabftw | 1 Elabftw | 2024-11-21 | 5.9 Medium |
| eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading. | ||||
| CVE-2021-3663 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 7.5 High |
| firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts | ||||
| CVE-2021-3412 | 1 Redhat | 2 3scale, 3scale Api Management | 2024-11-21 | 7.3 High |
| It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks. | ||||
| CVE-2021-3138 | 1 Discourse | 1 Discourse | 2024-11-21 | 7.5 High |
| In Discourse 2.7.0 through beta1, a rate-limit bypass leads to a bypass of the 2FA requirement for certain forms. | ||||
| CVE-2021-38890 | 4 Ibm, Linux, Microsoft and 1 more | 5 Aix, Sterling Connect\, Linux Kernel and 2 more | 2024-11-21 | 7.5 High |
| IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 209507. | ||||
| CVE-2021-38725 | 1 Thedaylightstudio | 1 Fuel Cms | 2024-11-21 | 5.3 Medium |
| Fuel CMS 1.5.0 has a brute force vulnerability in fuel/modules/fuel/controllers/Login.php | ||||
| CVE-2021-38474 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2024-11-21 | 6.3 Medium |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface. | ||||
| CVE-2021-38155 | 1 Openstack | 1 Keystone | 2024-11-21 | 7.5 High |
| OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. | ||||
| CVE-2021-37934 | 1 Huntflow | 1 Huntflow Enterprise | 2024-11-21 | 9.8 Critical |
| Due to insufficient server-side login-attempt limit enforcement, a vulnerability in /account/login in Huntflow Enterprise before 3.10.14 could allow an unauthenticated, remote user to perform multiple login attempts for brute-force password guessing. | ||||
| CVE-2021-36750 | 2 Sandisk, Zendesk | 3 Secureaccess, Enc Datavault, Enc Vaultapi | 2024-11-21 | 8.1 High |
| ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names). | ||||
| CVE-2021-36285 | 1 Dell | 42 Latitude 5310 2-in-1, Latitude 5310 2-in-1 Firmware, Latitude 5320 and 39 more | 2024-11-21 | 5.7 Medium |
| Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive NVMe password attempt mitigations in order to carry out a brute force attack. | ||||
| CVE-2021-36284 | 1 Dell | 42 Latitude 5310 2-in-1, Latitude 5310 2-in-1 Firmware, Latitude 5320 and 39 more | 2024-11-21 | 5.7 Medium |
| Dell BIOS contains an Improper Restriction of Excessive Authentication Attempts vulnerability. A local authenticated malicious administrator could exploit this vulnerability to bypass excessive admin password attempt mitigations in order to carry out a brute force attack. | ||||