tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15906
Reference (s):
- http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html
- https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3