Improper Restriction of Excessive Authentication Attempts. The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
STEPS FOR REPRODUCTION:
1)Go to https://demo.firefly-iii.org/login
2)Enter the username and password
3)Capture the request
4)Set the field for password and start bruteforcing the password
I was able to brute force the password with a list of around 200+ usernames, the no. of attempts must be reduced to less than 10
This vulnerability is capable of, if the attacker uses the correct password list, it can lead to account takeovers.