WebEOC before 6.0.2 does not properly restrict the size of an uploaded file, which allows remote authenticated users to cause a denial of service (system and database resource consumption) via a large file.