Threats Tagged 'cwe-307'

Improper Restriction of Excessive Authentication Attempts vulnerability in BG-TEK Coslat Hotspot allows Password Brute Forcing, Authentication Abuse. This issue affects Coslat Hotspot: before 6.26.0.R.20250227.

Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation. This issue affects Mia-Med Health Aplication: before 1.0.14.

Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System allows Interface Manipulation. This issue affects Yordam Library Automation System: before 20.1.

Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials. This issue affects WiFiBurada: before 1.0.5.

Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation.

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.

Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13.

HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced. This may allow repeated authentication attempts, potentially leading to unauthorized access or account compromise under certain conditions.

A logic flaw in OPNsense core versions prior to 26. 1. 7 allows an unauthenticated attacker to bypass the authentication failure lockout mechanism. By submitting a crafted username containing success keywords between brute-force attempts, the attacker can reset the failure counter for their IP address, preventing lockout. This vulnerability is identified as CWE-307 and has a CVSS score of 5. 3 (medium severity). The issue is fixed in version 26. 1. 7.

CVE-2026-7255 is a medium severity vulnerability in Zyxel WRE6505 v2 firmware version V1. 00(ABDV. 3)C0. It involves improper restriction of excessive authentication attempts in the device's web management interface, allowing an adjacent attacker on the LAN to brute-force the password and bypass authentication. The vulnerability has a CVSS score of 6. 5, indicating a moderate risk. No patch or official remediation has been confirmed by the vendor at this time. There are no known exploits in the wild.