CWE-770
Allocation of Resources Without Limits or Throttling
Description
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-125 · CAPEC-130 · CAPEC-147 · CAPEC-197 · CAPEC-229 · CAPEC-230 · CAPEC-231 · CAPEC-469 · CAPEC-482 · CAPEC-486 · CAPEC-487 · CAPEC-488 · CAPEC-489 · CAPEC-490 · CAPEC-491 · CAPEC-493 · CAPEC-494 · CAPEC-495 · CAPEC-496 · CAPEC-528
CVEs mapped to this weakness (964)
page 1 of 49| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-6640 | Cri | 0.65 | 9.8 | 0.11 | Jun 8, 2017 | A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or… | ||
| CVE-2026-31283 | Cri | 0.64 | 9.8 | 0.00 | Apr 13, 2026 | In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime… | ||
| CVE-2020-37067 | Cri | 0.64 | 9.8 | 0.00 | Feb 3, 2026 | Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 bytes of repeated characters to trigger a buffer overflow and terminate the FTP… | ||
| CVE-2021-47875 | Cri | 0.64 | 9.8 | 0.00 | Jan 21, 2026 | GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field to… | ||
| CVE-2024-44241 | Cri | 0.64 | 9.8 | 0.01 | Dec 12, 2024 | The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware. | ||
| CVE-2017-6713 | Cri | 0.64 | 9.8 | 0.03 | Jul 6, 2017 | A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system. The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between… | ||
| CVE-2025-22273 | Cri | 0.60 | — | 0.01 | Feb 28, 2025 | Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint it is possible to perform a brute force attack on the current password in use. This issue affects CyberArk… | ||
| CVE-2017-8779 | Hig | 0.58 | 7.5 | 0.82 | May 4, 2017 | rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no… | ||
| CVE-2026-40498 | Cri | 0.57 | 9.8 | 0.01 | Apr 21, 2026 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY,… | ||
| CVE-2025-9368 | Hig | 0.57 | — | 0.00 | Dec 9, 2025 | A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. A manual power cycle is required to recover the device. | ||
| CVE-2025-12385 | Hig | 0.57 | — | 0.00 | Dec 3, 2025 | Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text… | ||
| CVE-2024-7113 | — | Hig | 0.57 | — | 0.01 | Aug 13, 2024 | If exploited, this vulnerability could cause a SuiteLink server to consume excessive system resources and slow down processing of Data I/O for the duration of the attack. | |
| CVE-2026-20103 | Hig | 0.56 | 8.6 | 0.00 | Mar 4, 2026 | A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of… | ||
| CVE-2024-30249 | Hig | 0.56 | 8.6 | 0.01 | Apr 4, 2024 | Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR1-20240330.101522-15` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to use Network as an… | ||
| CVE-2018-0137 | Hig | 0.56 | 8.6 | 0.02 | Feb 8, 2018 | A vulnerability in the TCP throttling process of Cisco Prime Network could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient rate limiting protection for TCP listening ports. An… | ||
| CVE-2017-3883 | Hig | 0.56 | 8.6 | 0.04 | Oct 19, 2017 | A vulnerability in the authentication, authorization, and accounting (AAA) implementation of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability… | ||
| CVE-2020-37139 | Hig | 0.55 | 8.4 | 0.00 | Feb 5, 2026 | Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields,… | ||
| CVE-2018-7582 | Hig | 0.55 | 7.5 | 0.38 | Mar 9, 2018 | WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991. | ||
| CVE-2025-14341 | Hig | 0.54 | 8.3 | 0.00 | May 7, 2026 | Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from… | ||
| CVE-2025-11243 | Hig | 0.54 | — | 0.00 | Nov 19, 2025 | Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network. |
- risk 0.65cvss 9.8epss 0.11
A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Software could allow an unauthenticated, remote attacker to log in to the administrative console of a DCNM server by using an account that has a default, static password. The account could be granted root- or…
- risk 0.64cvss 9.8epss 0.00
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack. NOTE: the Supplier's position is that the pwresettime configuration defaults to 30 minutes, the pwresettime…
- risk 0.64cvss 9.8epss 0.00
Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 bytes of repeated characters to trigger a buffer overflow and terminate the FTP…
- risk 0.64cvss 9.8epss 0.00
GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field to…
- risk 0.64cvss 9.8epss 0.01
The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.
- risk 0.64cvss 9.8epss 0.03
A vulnerability in the Play Framework of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to gain full access to the affected system. The vulnerability is due to static, default credentials for the Cisco ESC UI that are shared between…
- risk 0.60cvss —epss 0.01
Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint it is possible to perform a brute force attack on the current password in use. This issue affects CyberArk…
- risk 0.58cvss 7.5epss 0.82
rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, which allows remote attackers to cause a denial of service (memory consumption with no…
- risk 0.57cvss 9.8epss 0.01
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APP_KEY,…
- risk 0.57cvss —epss 0.00
A security issue exists within 432ES-IG3 Series A, which affects GuardLink® EtherNet/IP Interface, resulting in denial-of-service. A manual power cycle is required to recover the device.
- risk 0.57cvss —epss 0.00
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text…
- risk 0.57cvss —epss 0.01
If exploited, this vulnerability could cause a SuiteLink server to consume excessive system resources and slow down processing of Data I/O for the duration of the attack.
- risk 0.56cvss 8.6epss 0.00
A vulnerability in the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust device memory resulting in a denial of…
- risk 0.56cvss 8.6epss 0.01
Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR1-20240330.101522-15` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to use Network as an…
- risk 0.56cvss 8.6epss 0.02
A vulnerability in the TCP throttling process of Cisco Prime Network could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient rate limiting protection for TCP listening ports. An…
- risk 0.56cvss 8.6epss 0.04
A vulnerability in the authentication, authorization, and accounting (AAA) implementation of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability…
- risk 0.55cvss 8.4epss 0.00
Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields,…
- risk 0.55cvss 7.5epss 0.38
WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991.
- risk 0.54cvss 8.3epss 0.00
Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from…
- risk 0.54cvss —epss 0.00
Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network.