Improper Enforcement of a Single, Unique ActionID: 837 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Base |
Description
The software requires that an actor should only be able to
perform an action once, or to have only one unique action, but the software does
not enforce or improperly enforces this restriction.
Extended DescriptionIn various applications, a user is only expected to perform a certain
action once, such as voting, requesting a refund, or making a purchase. When
this restriction is not enforced, sometimes this can have security
implications. For example, in a voting application, an attacker could
attempt to "stuff the ballot box" by voting multiple times. If these votes
are counted separately, then the attacker could directly affect who wins the
vote. This could have significant business impact depending on the purpose
of the software.
Applicable PlatformsLanguage Class: Language-independent
Common Consequences
Scope | Technical Impact | Notes |
---|
Other | | An attacker might be able to gain advantage over other users by
performing the action multiple times, or affect the correctness of the
software. |
Detection MethodsNone
Potential MitigationsNone
Relationships
Related CWE | Type | View | Chain |
---|
CWE-837 ChildOf CWE-799 | Weakness | CWE-1000CWE-699 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2008-0294 : Ticket-booking web application allows a user to lock a seat more than once.
- CVE-2005-4051 : CMS allows people to rate downloads by voting more than once.
- CVE-2002-216 : Polling software allows people to vote more than once by setting a cookie.
- CVE-2003-1433 : Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game.
- CVE-2002-1018 : Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book.
- CVE-2009-2346 : Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:None