A lack of rate limiting in the login page of Safe App version a3.0.9 allows attackers to bypass authentication via a brute force attack.
The login page of the Safe App application does not impose a limit on the number of failed authentication attempts (no rate limiting). An attacker can automatically send an unlimited number of login requests with different password combinations until successfully guessing the correct credentials. The attack is possible remotely, without authentication, and without user interaction, which classifies it as very easy to conduct.
An attacker who successfully conducts a brute force attack can gain unauthorized access to user accounts of the application, leading to violations of confidentiality, integrity, and availability of data stored in the application.
Patches available from the vendor should be applied according to references. Additionally, it is recommended to implement mechanisms for limiting the number of login attempts (rate limiting), account lockout after a specified number of failed attempts, and CAPTCHA on the login page.
Safe App (IITB) version a3.0.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIitb Safe
APPIitba3.0.9