Improper Restriction of Excessive Authentication Attempts in eLabFTW - CVE-2021-41171
Published: October 22, 2021 / Updated: April 24, 2026
Vulnerability identifier: #VU127368
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-41171
CWE-ID: CWE-307
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
eLabFTW
eLabFTW
Software vendor:
elabftw
elabftw
Description
The vulnerability allows a remote attacker to bypass brute-force protection on the login form.
The vulnerability exists due to improper restriction of excessive authentication attempts in the login form when handling authentication requests with forged PHPSESSID values in the HTTP Cookie header. A remote attacker can send authentication requests with many different forged PHPSESSID values to bypass brute-force protection on the login form.
Remediation
Install security update from vendor's website.