Improper Restriction of Excessive Authentication Attempts in OpenClinic GA

#VU29500 Improper Restriction of Excessive Authentication Attempts in OpenClinic GA

Published: 2020-07-03

Vulnerability identifier: #VU29500

Vulnerability risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-14484

CWE-ID: CWE-307

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenClinic GA
Web applications / CMS

Vendor: Frank Verbeke

Description

The vulnerability allows a remote attacker to gain access to the system.

The vulnerability exists due to the authentication mechanism has no brute-force prevention. A remote attacker can bypass the system’s account lockout protection, perform a brute-force authentication attack and gain access to the target system.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

OpenClinic GA: 5.09.02 - 5.89.05 b

External links
http://ics-cert.us-cert.gov/advisories/icsma-20-184-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenClinic GA