CWE-285 授权机制不恰当 类弱点 1059 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-285 属于权限控制缺陷,指系统在访问资源或执行操作时未正确执行授权检查。攻击者常通过篡改请求参数或绕过前端限制,以非授权身份访问敏感数据或执行特权操作。开发者应实施严格的基于角色的访问控制,在服务器端对所有请求进行细粒度权限验证,确保仅允许合法用户执行相应操作,从而杜绝越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-12673 | Liquidfiles 4.2.12以下版本存在越权漏洞 — liquidfiles | - | - | 2026-06-20 |
| CVE-2026-48089 | DevGuard 公共资产未授权访问漏洞 — devguard | - | - | 2026-06-19 |
| CVE-2026-49338 | Subsonic API 任意用户可删除或读取他人歌单(IDOR)漏洞 — gonic | 7.1 | High | 2026-06-19 |
| CVE-2026-20190 | Cisco Identity Services Engine Software 授权问题漏洞 — Cisco Identity Services Engine Software | 7.5 | High | 2026-06-17 |
| CVE-2026-12213 | hcengineering huly platform 权限许可和访问控制问题漏洞 — Huly Platform | 4.3 | Medium | 2026-06-15 |
| CVE-2026-47342 | Apache OFBiz 授权问题漏洞 — Apache OFBiz | - | - | 2026-06-10 |
| CVE-2026-46668 | SpiceDB 授权问题漏洞 — spicedb | - | - | 2026-06-10 |
| CVE-2026-47298 | Microsoft Office SharePoint 授权问题漏洞 — Microsoft SharePoint Enterprise Server 2016 | 8.0 | High | 2026-06-09 |
| CVE-2026-45503 | Microsoft Exchange Server 授权问题漏洞 — Microsoft Exchange Server 2016 Cumulative Update 23 | 8.1 | High | 2026-06-09 |
| CVE-2026-45490 | Microsoft .NET 授权问题漏洞 — .NET 10.0 | 7.8 | High | 2026-06-09 |
| CVE-2026-42902 | Microsoft PowerToys 授权问题漏洞 — Microsoft PowerToys | 7.8 | High | 2026-06-09 |
| CVE-2026-11619 | Dolibarr ERP CRM 安全漏洞 — ERP CRM | 6.3 | Medium | 2026-06-09 |
| CVE-2026-11533 | student_management_system 安全漏洞 — student_management_system | 5.4 | Medium | 2026-06-08 |
| CVE-2026-46656 | Bludit 授权问题漏洞 — bludit | 8.8 | High | 2026-06-08 |
| CVE-2026-11521 | Bank Management System 安全漏洞 — bank-management-system-springboot | 6.3 | Medium | 2026-06-08 |
| CVE-2026-11519 | SourceCodester Inventory System 安全漏洞 — Inventory System | 6.3 | Medium | 2026-06-08 |
| CVE-2026-11476 | Student-Management-System 安全漏洞 — student-management-system | 6.3 | Medium | 2026-06-08 |
| CVE-2026-11462 | BeikeShop 授权问题漏洞 — BeikeShop | 7.3 | High | 2026-06-07 |
| CVE-2026-11441 | OneDev 授权问题漏洞 — onedev | 6.3 | Medium | 2026-06-06 |
| CVE-2026-11440 | OneDev 授权问题漏洞 — onedev | 6.3 | Medium | 2026-06-06 |
| CVE-2026-11439 | OneDev 授权问题漏洞 — onedev | 6.3 | Medium | 2026-06-06 |
| CVE-2026-11438 | OneDev 授权问题漏洞 — onedev | 6.3 | Medium | 2026-06-06 |
| CVE-2026-10580 | WordPress plugin Hippoo Mobile App for WooCommerce 授权问题漏洞 — Hippoo Mobile App for WooCommerce | 9.8 | Critical | 2026-06-05 |
| CVE-2026-11336 | CollegeManagementSystem 授权问题漏洞 — CollegeManagementSystem | 6.3 | Medium | 2026-06-05 |
| CVE-2026-10876 | SourceCodester Ship Ferry Ticket Reservation System 授权问题漏洞 — Ship Ferry Ticket Reservation System | 6.3 | Medium | 2026-06-04 |
| CVE-2026-48579 | Microsoft Exchange Online 授权问题漏洞 — Microsoft Exchange Online | 9.1 | Critical | 2026-06-04 |
| CVE-2026-41522 | Iris 授权问题漏洞 — iris-web | - | - | 2026-06-04 |
| CVE-2026-10693 | SourceCodester Online Boat Reservation System 授权问题漏洞 — Online Boat Reservation System | 6.3 | Medium | 2026-06-03 |
| CVE-2026-33398 | NamelessMC 安全漏洞 — Nameless | - | - | 2026-06-02 |
| CVE-2026-41115 | Apache Kafka 安全漏洞 — Apache Kafka | - | - | 2026-06-02 |
CWE-285(授权机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1059 条 CVE 漏洞。