39 matches found
Exploiting API4 — 8 Real-World Unrestricted Resource Consumption Attack Scenarios (and How to Stop Them)
Unrestricted Resource ConsumptionAPI4:2023 is the only threat category in the OWASP API Security Top 10 explicitly dedicated to Denial of Service DoS and resource abuse. But despite being just one category, attackers can exploit it in many different ways; from large file uploads and expensive...
GHSA-7XQM-7738-642X File Browser's Uncontrolled Memory Consumption vulnerability can enable DoS attack due to oversized file processing
Summary A Denial of Service DoS vulnerability exists in the file processing logic when reading a file on endpoint Filebrowser-Server-IP:PORT/files/file-name . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations...
CVE-2024-52581
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to...
CVE-2025-32952
The CVE-2025-32952 affects Jmix local file storage (io.jmix.localfs:jmix-localfs) across Jmix 1.x and 2.x releases: versions 1.0.0–1.6.1 and 2.0.0–2.3.4 fail to enforce file size limits on uploads, enabling an attacker to upload excessively large files and potentially exhaust server disk space, c...
CVE-2024-11171 Improper Input Validation in danny-avila/librechat
In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage the default setting for multer, there is no limit on the upload file size. This can lead to a...
PT-2025-12102
Name of the Vulnerable Software and Affected Versions danny-avila/librechat versions prior to 0.7.6 Description The issue is related to improper input validation, specifically with the handling of multipart file uploads using multer middleware. When in-memory storage is used, there is no limit on...
CVE-2024-46668
An allocation of resources without limits or throttling vulnerability CWE-770 in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenticated remote user to consume all system memory via multiple...
CVE-2024-46668
An allocation of resources without limits or throttling vulnerability CWE-770 in FortiOS versions 7.4.0 through 7.4.4, versions 7.2.0 through 7.2.8, versions 7.0.0 through 7.0.15, and versions 6.4.0 through 6.4.15 may allow an unauthenticated remote user to consume all system memory via multiple...
PYSEC-2024-178
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to...
CVE-2024-52581
Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to...
PT-2024-10211 · Fortinet · Fortios
Name of the Vulnerable Software and Affected Versions: FortiOS versions 6.4.0 through 6.4.15 FortiOS versions 7.0.0 through 7.0.15 FortiOS versions 7.2.0 through 7.2.8 FortiOS versions 7.4.0 through 7.4.4 Description: The issue is related to an allocation of resources without limits or throttling...
PT-2024-40019 · Typo3 · Typo3
Name of the Vulnerable Software and Affected Versions: TYPO3 affected versions not specified Description: The issue concerns the handling of online media assets, specifically .youtube and .vimeo files, in the TYPO3 backend. It is vulnerable to a denial of service, which occurs when large files wi...
GHSA-3X9G-XFJ5-FQ84 Duplicate Advisory: Cross-Site Request Forgery in Gradio
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references. Original Description A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running...
CVE-2023-28837
Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A use...
CVE-2023-28837 Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files
Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A use...
CVE-2023-22890
SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated users to upload large files, which could exhaust the local drive space, causing a denial of service condition...
UBUNTU-CVE-2017-9061
In WordPress before 4.7.5, a cross-site scripting XSS vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename...
DEBIAN-CVE-2017-9061
In WordPress before 4.7.5, a cross-site scripting XSS vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename...
we7cms file upload vulnerability
we7cms is a content management system based on asp.net development. we7cms V3.0 system file upload vulnerability, the vulnerability is mainly caused by information leakage of the background upload service exposure, the uploaded service failed to get the identity verification, and the file format...