CWE-285 授权机制不恰当 类弱点 1059 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-285 属于权限控制缺陷,指系统在访问资源或执行操作时未正确执行授权检查。攻击者常通过篡改请求参数或绕过前端限制,以非授权身份访问敏感数据或执行特权操作。开发者应实施严格的基于角色的访问控制,在服务器端对所有请求进行细粒度权限验证,确保仅允许合法用户执行相应操作,从而杜绝越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2026-10294 | PackageKit 授权问题漏洞 — PackageKit | 4.3 | Medium | 2026-06-01 |
| CVE-2026-10285 | Project Management 授权问题漏洞 — project-management | 5.4 | Medium | 2026-06-01 |
| CVE-2026-10284 | Project Management 授权问题漏洞 — project-management | 5.4 | Medium | 2026-06-01 |
| CVE-2026-10282 | DaybydayCRM 授权问题漏洞 — DaybydayCRM | 4.3 | Medium | 2026-06-01 |
| CVE-2026-0072 | Google Android 安全漏洞 — Android XR | - | - | 2026-06-01 |
| CVE-2026-45275 | Nextcloud 授权问题漏洞 — security-advisories | 6.5 | Medium | 2026-06-01 |
| CVE-2026-10272 | Student-Management-System 授权问题漏洞 — Student-Management-System | 6.5 | Medium | 2026-06-01 |
| CVE-2026-10269 | 9Router 授权问题漏洞 — 9router | 6.3 | Medium | 2026-06-01 |
| CVE-2026-40963 | Apache Airflow 安全漏洞 — Apache Airflow | - | - | 2026-06-01 |
| CVE-2026-10236 | SourceCodester Water Billing Management System 授权问题漏洞 — Water Billing Management System | 7.3 | High | 2026-06-01 |
| CVE-2026-46605 | Apache ActiveMQ 安全漏洞 — Apache ActiveMQ Broker | - | - | 2026-06-01 |
| CVE-2026-10218 | goclaw 授权问题漏洞 — GoClaw | 5.4 | Medium | 2026-06-01 |
| CVE-2026-10215 | Dolibarr ERP CRM 授权问题漏洞 — ERP CRM | 4.3 | Medium | 2026-06-01 |
| CVE-2026-48810 | FreeScout 授权问题漏洞 — freescout | 4.3 | Medium | 2026-05-29 |
| CVE-2026-47740 | shopper 安全漏洞 — shopper | 8.1 | High | 2026-05-29 |
| CVE-2026-10070 | mall 授权问题漏洞 — mall | 4.7 | Medium | 2026-05-29 |
| CVE-2026-47713 | AnythingLLM 安全漏洞 — anything-llm | 2.0 | Low | 2026-05-28 |
| CVE-2026-45297 | OpenReplay 安全漏洞 — openreplay | - | - | 2026-05-28 |
| CVE-2026-47673 | Hono 授权问题漏洞 — hono | 4.8 | Medium | 2026-05-28 |
| CVE-2026-6938 | IBM Db2 授权问题漏洞 — Db2 | 6.5 | Medium | 2026-05-27 |
| CVE-2026-46620 | e107 跨站请求伪造漏洞 — e107 | 6.5 | Medium | 2026-05-26 |
| CVE-2026-9484 | SourceCodester Student Grades Management System 授权问题漏洞 — Student Grades Management System | 6.3 | Medium | 2026-05-25 |
| CVE-2026-9483 | SourceCodester Student Grades Management System 授权问题漏洞 — Student Grades Management System | 6.3 | Medium | 2026-05-25 |
| CVE-2026-9410 | Invoice-System 授权问题漏洞 — Invoice-System | 4.3 | Medium | 2026-05-25 |
| CVE-2026-9409 | Invoice-System 授权问题漏洞 — Invoice-System | 4.3 | Medium | 2026-05-25 |
| CVE-2026-9397 | Besen BS20 EV Charging Station 授权问题漏洞 — BS20 EV Charging Station | 8.1 | High | 2026-05-24 |
| CVE-2026-9376 | JPress 授权问题漏洞 — JPress | 6.3 | Medium | 2026-05-24 |
| CVE-2022-34363 | Dell Unisphere for PowerMax vApp 授权问题漏洞 — Unisphere for PowerMax | 6.5 | Medium | 2026-05-22 |
| CVE-2026-45187 | Apache OFBiz 授权问题漏洞 — Apache OFBiz | - | - | 2026-05-19 |
| CVE-2026-8747 | Z-BlogPHP 安全漏洞 — Z-BlogPHP | 6.3 | Medium | 2026-05-17 |
CWE-285(授权机制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 1059 条 CVE 漏洞。