A lack of rate limiting in the login mechanism of SigningHub v8.6.8 allows attackers to bypass authentication via a brute force attack.
The login mechanism in SigningHub v8.6.8 does not implement rate limiting, meaning it does not restrict the number of consecutive authentication attempts from a given source. An attacker can automatically send an unlimited number of login requests with various password combinations (brute force) until successfully guessing the correct credentials. The attack is possible remotely, without any prior permissions or victim interaction.
An attacker who successfully guesses login credentials gains full unauthorized access to a user or administrator account in the SigningHub system, which may result in violation of confidentiality, integrity, and availability of processed documents and data.
Patches available from the vendor should be applied in accordance with references. Additionally, it is recommended to implement account blocking mechanisms or temporary IP address blocking after a specified number of failed login attempts, and to consider implementing multi-factor authentication (MFA) as an additional layer of protection.
Ascertia SigningHub v8.6.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAscertia Signinghub
APPAscertia≤ 8.6.8
Related vulnerabilities
Brak rate limiting w funkcji resetowania hasła w Ascertia SigningHub
Dowolne przesyłanie plików w SigningHub umożliwia RCE
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any ra...
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to c...
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attac...