SB2021102223 - Improper Restriction of Excessive Authentication Attempts in eLabFTW
Published: October 22, 2021 Updated: April 24, 2026
Security Bulletin ID
SB2021102223
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Partial DoS
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2021-41171)
The vulnerability allows a remote attacker to bypass brute-force protection on the login form.
The vulnerability exists due to improper restriction of excessive authentication attempts in the login form when handling authentication requests with forged PHPSESSID values in the HTTP Cookie header. A remote attacker can send authentication requests with many different forged PHPSESSID values to bypass brute-force protection on the login form.
Remediation
Install update from vendor's website.