VYPR

CWE-837

Improper Enforcement of a Single, Unique Action

BaseIncomplete

Description

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to "stuff the ballot box" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the product.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (10)

  • CVE-2026-42609HigMay 11, 2026
    risk 0.46cvss 8.1epss 0.00

    Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a business logic vulnerability in the Grav Admin Panel allows a low-privileged user (with only user creation permissions) to overwrite existing accounts, including the primary administrator. By creating a new user with a…

  • CVE-2024-11717MedJan 2, 2025
    risk 0.41cvss epss 0.01

    Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might…

  • CVE-2025-54315HigOct 2, 2025
    risk 0.39cvss 7.1epss 0.00

    The Matrix specification before 1.16 (i.e., with a room version before 12) lacks create event uniqueness.

  • CVE-2024-11716MedJan 2, 2025
    risk 0.35cvss epss 0.12

    While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing.…

  • CVE-2024-12123MedDec 4, 2024
    risk 0.34cvss epss 0.00

    A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user.  When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy.  The ticket requester…

  • CVE-2026-44601LowMay 7, 2026
    risk 0.24cvss 3.7epss 0.00

    Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.

  • CVE-2025-62784Oct 27, 2025
    risk 0.00cvss epss 0.00

    InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions before 1.6.5 contain a vulnerability where any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element can allow item duplication when the experimental…

  • CVE-2025-62783Oct 27, 2025
    risk 0.00cvss epss 0.00

    InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.1-SNAPSHOT and earlier contain a vulnerability where any plugin using the `GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server.…

  • CVE-2025-62782Oct 27, 2025
    risk 0.00cvss epss 0.00

    InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The…

  • CVE-2024-4629Sep 3, 2024
    risk 0.00cvss epss 0.01

    A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system…