craftcms/cms is uses an insecure authentication mechanism. There is no account lockout after multiple failed attempts to log-in and the application does not rate-limit the elevated session password prompt, allowing an attacker to perform a brute-force attack on the log-in function and discover users’ passwords and gain access to the application.
CPE | Name | Operator | Version |
---|---|---|---|
craftcms/cms | le | 2.9.0 | |
craftcms/cms | le | 3.1.6 |