CWE-837 Detail

CWE-837

Improper Enforcement of a Single, Unique Action
Incomplete
2011-03-30
00h00 +00:00
2025-12-11
00h00 +00:00
CWE Mitre.org
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Notifications manage

Name: Improper Enforcement of a Single, Unique Action

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction.

CWE Description

In various applications, a user is only expected to perform a certain action once, such as voting, requesting a refund, or making a purchase. When this restriction is not enforced, sometimes this can have security implications. For example, in a voting application, an attacker could attempt to "stuff the ballot box" by voting multiple times. If these votes are counted separately, then the attacker could directly affect who wins the vote. This could have significant business impact depending on the purpose of the product.

General Informations

Modes Of Introduction

Implementation

Applicable Platforms

Language

Class: Not Language-Specific (Undetermined)

Technologies

Class: Not Technology-Specific (Undetermined)
Class: Web Based (Undetermined)
Name: Web Server (Undetermined)

Common Consequences

Scope Impact Likelihood
OtherVaries by Context

Note: An attacker might be able to gain advantage over other users by performing the action multiple times, or affect the correctness of the product.

Observed Examples

References Description

CVE-2008-0294

Ticket-booking web application allows a user to lock a seat more than once.

CVE-2005-4051

CMS allows people to rate downloads by voting more than once.

CVE-2002-216

Polling software allows people to vote more than once by setting a cookie.

CVE-2003-1433

Chain: lack of validation of a challenge key in a game allows a player to register multiple times and lock other players out of the game.

CVE-2002-1018

Library feature allows attackers to check out the same e-book multiple times, preventing other users from accessing copies of the e-book.

CVE-2009-2346

Protocol implementation allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many message exchanges.

Vulnerability Mapping Notes

Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Submission

Name Organization Date Date release Version
CWE Content Team MITRE 2011-03-24 +00:00 2011-03-30 +00:00 1.12

Modifications

Name Organization Date Comment
CWE Content Team MITRE 2012-05-11 +00:00 updated Observed_Examples
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2023-01-31 +00:00 updated Common_Consequences, Description
CWE Content Team MITRE 2023-04-27 +00:00 updated Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Common_Consequences
CWE Content Team MITRE 2025-12-11 +00:00 updated Applicable_Platforms, Time_of_Introduction, Weakness_Ordinalities
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.