CVEbaza.plSłownik CWECWE-799
Common Weakness Enumeration

CWE-799

Improper Control of Interaction Frequency

Kategoria: ClassCVE: 69
Opis

Produkt nie ogranicza prawidłowo liczby lub częstotliwości interakcji z aktorem, takich jak liczba przychodzących żądań. Może to prowadzić do zbyt wielu żądań przetwarzanych przez system, co może doprowadzić do jego przeciążenia lub ataku typu denial-of-service.

Description (EN)

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

Podatności CVE z CWE-799 (69)
9.8
CVSS
CRITICAL
CVE-2025-54321

Ascertia SigningHub do wersji 8.6.8 włącznie nie ogranicza liczby żądań resetowania hasła, co umożliwia atak email bombing. Uwierzytelniony atakujący może automatycznie wysyłać masowe żądania resetowania hasła pod wskazany adres e-mail.

pub. 2025-11-18
8.8
CVSS
HIGH
CVE-2024-6890

Password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

pub. 2024-08-07
8.7
CVSS
HIGH
CVE-2024-45788

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system.

pub. 2024-09-11
8.7
CVSS
HIGH
CVE-2024-32943

An attacker may be able to cause a denial-of-service condition by sending many SSH packets repeatedly.

pub. 2024-06-20
8.7
CVSS
HIGH
CVE-2024-35246

An attacker may be able to cause a denial-of-service condition by sending many packets repeatedly.

pub. 2024-06-20
8.2
CVSS
HIGH
CVE-2025-29998

This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.

pub. 2025-03-13
8.1
CVSS
HIGH
CVE-2026-7402

Improper Control of Interaction Frequency vulnerability in MeWare Software Development Inc. PDKS allows Flooding. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117.

pub. 2026-04-30
8.1
CVSS
HIGH
CVE-2026-32729

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials (via phishing, credential stuffing, or data breach) can brute-force the 6-digit TOTP code to completely bypass two-factor authentication. The TOTP verification session persists for 24 hours (default cache TTL), providing an excessive window during which the full 1,000,000-code keyspace (000000–999999) can be exhausted. At practical request rates (~500 req/s), the attack completes in approximately 33 minutes in the worst case. This vulnerability is fixed in 4.8.1.

pub. 2026-03-16
8.1
CVSS
HIGH
CVE-2026-24017

An Improper Control of Interaction Frequency vulnerability [CWE-799] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity.

pub. 2026-03-10
8.1
CVSS
HIGH
CVE-2021-41177

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`.

pub. 2021-10-25
7.5
CVSS
HIGH
CVE-2023-35621

Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability

pub. 2023-12-12
7.1
CVSS
HIGH
CVE-2026-5233

Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.

pub. 2026-06-15
7.1
CVSS
HIGH
CVE-2024-51557

This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.

pub. 2024-11-04
7.1
CVSS
HIGH
CVE-2024-47654

This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system.

pub. 2024-10-04
6.9
CVSS
MEDIUM
CVE-2026-41343

OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.

pub. 2026-04-23
6.9
CVSS
MEDIUM
CVE-2026-22216

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.

pub. 2026-03-13
6.9
CVSS
MEDIUM
CVE-2026-30972

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.

pub. 2026-03-10
6.9
CVSS
MEDIUM
CVE-2025-32378

Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double opt-in for registered customers set to disabled, and Log-in & sign-up: Double opt-in on sign-up set to disabled. With these settings, anyone can register an account on the shop using any e-mail-address and then check the check-box in the account page to sign up for the newsletter. The recipient will receive two mails confirming registering and signing up for the newsletter, no confirmation link needed to be clicked for either. In the backend the recipient is set to “instantly active”. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17.

pub. 2025-04-09
6.5
CVSS
MEDIUM
CVE-2024-8475

Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables. This issue affects WiFiBurada: before 1.0.5.

pub. 2024-12-17
6.5
CVSS
MEDIUM
CVE-2023-40673

: Improper Control of Interaction Frequency vulnerability in cartpauj Cartpauj Register Captcha allows Functionality Misuse.This issue affects Cartpauj Register Captcha: from n/a through 1.0.02.

pub. 2024-06-04
Pokazano 20 z 69 podatności
Informacje
ID: CWE-799
Typ: Class
Podatności: 69
MITRE CWE ↗
← Słownik CWE