Common Weakness Enumeration

CWE-799

Allowed-with-Review

Improper Control of Interaction Frequency

Abstraction: Class · Status: Incomplete

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

108 vulnerabilities reference this CWE, most recent first.

GHSA-GRW6-P9QM-QMX4

Vulnerability from github – Published: 2023-05-31 15:30 – Updated: 2024-04-04 04:26
VLAI
Details

A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-31T15:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability exists in Contec CONPROSYS HMI System versions 3.5.2 and prior. When there is a time-zone mismatch in certain configuration files, a remote, unauthenticated attacker may deny logins for an extended period of time.",
  "id": "GHSA-grw6-p9qm-qmx4",
  "modified": "2024-04-04T04:26:10Z",
  "published": "2023-05-31T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2758"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU93372935/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/research/tra-2023-21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQHF-C9CF-W4QM

Vulnerability from github – Published: 2024-10-10 00:31 – Updated: 2024-10-11 21:31
VLAI
Details

The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidation endpoint. The last 30 and the next 30 tokens are valid.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-10T00:15:02Z",
    "severity": "MODERATE"
  },
  "details": "The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbucket through 3.1.4.5 allows remote attackers to easily brute-force the 2FA PIN via the plugins/servlet/twofactor/public/pinvalidation endpoint. The last 30 and the next 30 tokens are valid.",
  "id": "GHSA-hqhf-c9cf-w4qm",
  "modified": "2024-10-11T21:31:34Z",
  "published": "2024-10-10T00:31:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48942"
    },
    {
      "type": "WEB",
      "url": "https://syracom-bee.atlassian.net/wiki/spaces/SL/pages/3236560898/2024-09-16+-+Secure+Login+security+advisory+-+Insecure+default+configuration"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HV59-832H-F7J8

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2025-04-23 21:30
VLAI
Details

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). An unauthenticated attacker in the same network of the affected system could brute force the usernames from the affected software.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-14T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.0 SP2). An unauthenticated attacker in the same network of the affected system could brute force the usernames from the affected software.",
  "id": "GHSA-hv59-832h-f7j8",
  "modified": "2025-04-23T21:30:29Z",
  "published": "2022-05-24T19:14:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37191"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-334944.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF69-R24Q-GHHR

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-04 21:59
VLAI
Summary
Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-wwfp-w96m-c6x8. This link is maintained to preserve external references.

Original Description

OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2026.2.26"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:59:20Z",
    "nvd_published_at": "2026-04-23T22:16:41Z",
    "severity": "MODERATE"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-wwfp-w96m-c6x8. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.",
  "id": "GHSA-mf69-r24q-ghhr",
  "modified": "2026-05-04T21:59:20Z",
  "published": "2026-04-24T00:31:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wwfp-w96m-c6x8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41346"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/9bc1f896c8cd325dd4761681e9bdb8c425f69785"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-improper-pending-pairing-request-cap-enforcement"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account",
  "withdrawn": "2026-05-04T21:59:20Z"
}

GHSA-P77M-F595-QX5V

Vulnerability from github – Published: 2023-07-12 15:30 – Updated: 2024-04-04 06:04
VLAI
Details

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-38068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-12T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms",
  "id": "GHSA-p77m-f595-qx5v",
  "modified": "2024-04-04T06:04:11Z",
  "published": "2023-07-12T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38068"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW23-46F3-853X

Vulnerability from github – Published: 2025-05-20 18:30 – Updated: 2025-05-20 18:30
VLAI
Details

OpenFlow discovery protocol can exhaust resources because it is not rate limited

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T16:15:35Z",
    "severity": "MODERATE"
  },
  "details": "OpenFlow discovery protocol can exhaust resources because it is not rate limited",
  "id": "GHSA-pw23-46f3-853x",
  "modified": "2025-05-20T18:30:57Z",
  "published": "2025-05-20T18:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48016"
    },
    {
      "type": "WEB",
      "url": "https://selinc.com/products/software/latest-software-versions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCC3-JQWP-5VH2

Vulnerability from github – Published: 2026-04-02 21:01 – Updated: 2026-05-06 23:24
VLAI
Summary
OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification
Details

Summary

LINE webhook handler lacks shared pre-auth concurrency budget before signature verification

Current Maintainer Triage

  • Status: open
  • Normalized severity: low
  • Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is bounded transient availability loss only, so low fits.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • 57c47d8c7fbf5a2e70cc4dec2380977968903cad — 2026-03-31T19:34:25+09:00

OpenClaw thanks @nexrin for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41343"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770",
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T21:01:08Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nLINE webhook handler lacks shared pre-auth concurrency budget before signature verification\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is bounded transient availability loss only, so low fits.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `57c47d8c7fbf5a2e70cc4dec2380977968903cad` \u2014 2026-03-31T19:34:25+09:00\n\nOpenClaw thanks @nexrin for reporting.",
  "id": "GHSA-qcc3-jqwp-5vh2",
  "modified": "2026-05-06T23:24:58Z",
  "published": "2026-04-02T21:01:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qcc3-jqwp-5vh2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41343"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/57c47d8c7fbf5a2e70cc4dec2380977968903cad"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-line-webhook-handler-pre-auth-concurrency"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification"
}

GHSA-QRF6-H5FC-7M96

Vulnerability from github – Published: 2022-05-24 17:21 – Updated: 2025-10-22 19:47
VLAI
Summary
Mattermost Server does not enforce rate limits on password change attempts
Details

An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-11069"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-22T19:47:35Z",
    "nvd_published_at": "2020-06-19T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.",
  "id": "GHSA-qrf6-h5fc-7m96",
  "modified": "2025-10-22T19:47:35Z",
  "published": "2022-05-24T17:21:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-11069"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/c976c2881ce5e34febac8a9850a6bad5d728625e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Server does not enforce rate limits on password change attempts"
}

GHSA-R37H-J483-CJJM

Vulnerability from github – Published: 2021-06-01 21:38 – Updated: 2021-06-04 18:50
VLAI
Summary
Improper rate limiting in Koel
Details

Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phanan/koel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-33563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799",
      "CWE-916"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-01T20:37:37Z",
    "nvd_published_at": "2021-05-24T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.",
  "id": "GHSA-r37h-j483-cjjm",
  "modified": "2021-06-04T18:50:20Z",
  "published": "2021-06-01T21:38:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33563"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koel/koel/releases/tag/v5.1.4"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1-other-koel/koel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Improper rate limiting in Koel"
}

GHSA-RCJQ-RRM8-5G33

Vulnerability from github – Published: 2024-06-04 09:30 – Updated: 2025-04-03 00:31
VLAI
Details

Improper Control of Interaction Frequency vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-40332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-04T08:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Improper Control of Interaction Frequency vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.",
  "id": "GHSA-rcjq-rrm8-5g33",
  "modified": "2025-04-03T00:31:30Z",
  "published": "2024-06-04T09:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40332"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.