VYPR

CWE-799

Improper Control of Interaction Frequency

ClassIncomplete

Description

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

This can allow the actor to perform actions more frequently than expected. The actor could be a human or an automated process such as a virus or bot. This could be used to cause a denial of service, compromise program logic (such as limiting humans to a single vote), or other consequences. For example, an authentication routine might not limit the number of times an attacker can guess a password. Or, a web site might conduct a poll but only expect humans to vote a maximum of once a day.

Hierarchy (View 1000)

Parents

CVEs mapped to this weakness (39)

page 2 of 2
  • CVE-2025-10761LowSep 21, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability has been found in Harness 3.3.0. Affected is an unknown function of the file /api/v1/login of the component Login Endpoint. The manipulation leads to improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The…

  • CVE-2025-9004LowAug 15, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiated remotely. The complexity of an attack…

  • CVE-2025-8927LowAug 13, 2025
    risk 0.24cvss 3.7epss 0.01

    A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/send_code of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive…

  • CVE-2025-5864LowJun 9, 2025
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was found in Tenda TDSEE App up to 1.7.12. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /app/ConfirmSmsCode of the component Password Reset Confirmation Code Handler. The manipulation leads to…

  • CVE-2025-1629LowFeb 24, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in Excitel Broadband Private my Excitel App 3.13.0 on Android. It has been classified as problematic. Affected is an unknown function of the component One-Time Password Handler. The manipulation leads to improper restriction of excessive authentication…

  • CVE-2025-7882LowJul 20, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been rated as problematic. This issue affects some unknown processing of the component Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack can…

  • CVE-2025-52880MedJun 24, 2025
    risk 0.20cvss 4.2epss 0.00

    Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The…

  • CVE-2024-11126LowNov 12, 2024
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather…

  • CVE-2026-41333LowApr 23, 2026
    risk 0.17cvss 3.7epss 0.00

    OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls…

  • CVE-2026-1409LowJan 26, 2026
    risk 0.13cvss 2.0epss 0.00

    A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the…

  • CVE-2025-52570LowJun 24, 2025
    risk 0.04cvss epss 0.00

    Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command…

  • CVE-2026-30972Mar 10, 2026
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes…

  • CVE-2025-57816Sep 8, 2025
    risk 0.00cvss epss 0.00

    Fides is an open-source privacy engineering platform. Prior to version 2.69.1, the Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected…

  • CVE-2025-32378Apr 9, 2025
    risk 0.00cvss epss 0.00

    Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double…

  • CVE-2024-57603Feb 12, 2025
    risk 0.00cvss epss 0.00

    An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the lack of rate limiting.

  • CVE-2024-13274Jan 9, 2025
    risk 0.00cvss epss 0.00

    Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5.

  • CVE-2021-33563May 24, 2021
    risk 0.00cvss epss 0.01

    Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.

  • CVE-2016-11069Jun 19, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

  • CVE-2018-17184Nov 6, 2018
    risk 0.00cvss epss 0.01

    A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the…