CVE-2015-20110

HIGH Year: 2015
CVSS v3 Score
7.5
High
Weakness Type
CWE-307
View all →

Vulnerability Description

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Related Vulnerabilities

CVE-1999-1152

HIGH
CVSS:7.5(High)

Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force att...

CWE-3071999

CVE-2002-0628

HIGH
CVSS:7.5(High)

The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute f...

CWE-3072002

CVE-2013-1895

HIGH
CVSS:7.5(High)

The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the pa...

CWE-3072013

CVE-2013-2257

HIGH
CVSS:7.5(High)

Cryptocat before 2.0.42 has Group Chat ECC Private Key Generation Brute Force Weakness

CWE-3072013

CVE-2017-14423

HIGH
CVSS:7.5(High)

htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) devices does not prevent unauthenticated nonce-guessing attacks, which makes it easier for remo...

CWE-3072017

CVE-2019-13166

HIGH
CVSS:7.5(High)

Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did not implement account lockout. Local account credentials may be extracted from the device via brute force guessing attacks.

CWE-3072019