CVE-2021-33563

HIGH

Koel < 5.1.4 - Insufficient Password Hash Computational Effort

Title source: llm
STIX 2.1

Description

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.

References (2)

Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://huntr.dev/bounties/1-other-koel/koel/
Third Party Advisory x_refsource_misc
https://github.com/koel/koel/releases/tag/v5.1.4

Scores

CVSS v3 7.5
EPSS 0.0079
EPSS Percentile 51.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-916
Status published
Products (2)
koel/koel < 5.1.4
phanan/koel 0 - 5.1.4Packagist
Published May 24, 2021
Tracked Since Feb 18, 2026