Windu CMS Client-Side Brute-Force Protection Bypass Vulnerability

Vulnerability

A vulnerability exists in Windu CMS version 4.1, allowing attackers to bypass weak client-side brute-force protection. The application uses the 'loginError' parameter to manage login attempts, but does not store attempt counts or timeout information on the server. This lack of server-side tracking enables attackers to reset the 'loginError' parameter and circumvent brute-force defenses. While the vendor was notified of this vulnerability, no response regarding the details or affected version range was received. Only version 4.1 has been tested and confirmed vulnerable, leaving the status of other versions uncertain.

Impact

Exploitation of this vulnerability allows for brute-force attacks to be conducted without restriction, potentially leading to unauthorized access.

Added: Nov 18, 2025, 3:22 PM

Updated: Nov 18, 2025, 3:22 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.2

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

6.2

remediation

0.0

relevance

1.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Windu CMS Client-Side Brute-Force Protection Bypass Vulnerability

Vulnerability

Impact

Affected Products

JCD Windu CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating