Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Bypass bruteforce protection on login form in elabftw
Vulnerability Description
eLabFTW is an open source electronic lab notebook manager for research teams. In versions of eLabFTW before 4.1.0, it allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in HTTP Cookie header. This issue has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies. This mechanism will not impact users and will effectively thwart any brute-force attempts at guessing passwords. The only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is of course a valid option, with or without upgrading.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
过多认证尝试的限制不恰当
Vulnerability Title
eLabFTW 安全漏洞
Vulnerability Description
Elabftw是一套开源的实验数据托管平台。该平台运行于Linux系统中,并支持存储多种对象。 eLabFTW 存在安全漏洞,该漏洞源于在 4.1.0 之前的 eLabFTW 版本中,它允许攻击者通过在 HTTP Cookie 标头中使用许多不同的伪造 PHPSESSID 值来绕过暴力保护机制。
CVSS Information
N/A
Vulnerability Type
N/A