CVE-2021-41171

Name of the Vulnerable Software and Affected Versions eLabFTW versions prior to 4.1.0

Description The issue allows attackers to bypass a brute-force protection mechanism by using many different forged PHPSESSID values in the HTTP Cookie header. This has been addressed by implementing brute force login protection, as recommended by Owasp with Device Cookies, which will effectively thwart any brute-force attempts at guessing passwords.

Recommendations For versions prior to 4.1.0, the only correct way to address this is to upgrade to version 4.1.0. Adding rate limitation upstream of the eLabFTW service is a valid option, with or without upgrading.