The __VIEWSTATE functionality in Microsoft ASP.NET 1.x, when not cryptographically signed, allows remote attackers to cause a denial of service (CPU consumption) via deeply nested markup.
https://exchange.xforce.ibmcloud.com/vulnerabilities/20408
http://secunia.com/advisories/15241