目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-288 使用候选路径或通道进行的认证绕过 类漏洞列表 489

CWE-288 使用候选路径或通道进行的认证绕过 类弱点 489 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-288 指认证绕过漏洞,即系统虽设有认证机制,却存在无需验证的备用路径或通道。攻击者常利用该缺陷,通过未受保护的接口或隐藏入口直接访问受限资源,从而规避身份校验。开发者应确保所有访问入口均强制实施统一且严格的认证策略,全面审查系统架构,消除任何未授权访问的潜在路径,以保障系统安全性。

MITRE CWE 官方描述
CWE:CWE-288 通过备用路径或通道绕过身份验证 (Authentication Bypass Using an Alternate Path or Channel) 英文:产品需要身份验证,但产品存在一个不需要身份验证的备用路径或通道。
常见影响 (1)
Access ControlBypass Protection Mechanism
缓解措施 (1)
Architecture and DesignFunnel all access through a single choke point to simplify how users can access a resource. For every access, perform a check to determine if the user has permissions to access the resource.
代码示例 (1)
Register SECURE_ME is located at address 0xF00. A mirror of this register called COPY_OF_SECURE_ME is at location 0x800F00. The register SECURE_ME is protected from malicious agents and only allows access to select, while COPY_OF_SECURE_ME is not. Access control is implemented using an allowlist (as indicated by a…
module foo_bar(data_out, data_in, incoming_id, address, clk, rst_n); output [31:0] data_out; input [31:0] data_in, incoming_id, address; input clk, rst_n; wire write_auth, addr_auth; reg [31:0] data_out, acl_oh_allowlist, q; assign write_auth = | (incoming_id & acl_oh_allowlist) ? 1 : 0; always @* acl_oh_allowlist <= 32'h8312; assign addr_auth = (address == 32'hF00) ? 1: 0; always @ (posedge clk or negedge rst_n) if (!rst_n) begin q <= 32'h0; data_out <= 32'h0; end else begin q <= (addr_auth & write_auth) ? data_in: q; data_out <= q; end end endmodule
Informative · Verilog
assign addr_auth = (address == 32'hF00) ? 1: 0;
Bad · Verilog
CVE ID标题CVSS风险等级Published
CVE-2020-37255 WordPress Time Capsule 1.21.16 认证绕过漏洞 — Time Capsule Plugin 7.5 High2026-06-20
CVE-2019-25763 WordPress Ultimate Addons for Beaver Builder 1.2.4.1 认证绕过漏洞 — Ultimate Addons for Beaver Builder 9.8 Critical2026-06-20
CVE-2026-50194 Steeltoe 通过欺骗Host头绕过管理端口隔离 — Steeltoe.Management.Endpoint 8.2 High2026-06-17
CVE-2026-54817 FluxBuilder MStore API 授权问题漏洞 — MStore API 6.5 Medium2026-06-17
CVE-2026-54804 Melhor Envio 授权问题漏洞 — Melhor Envio 7.6 High2026-06-17
CVE-2026-49767 tomdever wpForo Forum 授权问题漏洞 — wpForo Forum 9.8 Critical2026-06-17
CVE-2026-49071 opmc woocommerce dropshipping 授权问题漏洞 — WooCommerce Dropshipping 6.5 Medium2026-06-17
CVE-2026-42629 WordPress PowerPack Pro < v2.13.0 身份验证漏洞 — PowerPack Pro for Elementor 8.8 High2026-06-17
CVE-2026-25439 fs-code Booknetic 授权问题漏洞 — Booknetic 8.1 High2026-06-17
CVE-2026-12225 Syracom Secure Login 双因素验证绕过漏洞 — Secure Login (2FA) for Jira--2026-06-16
CVE-2026-49764 Metagauss RegistrationMagic 授权问题漏洞 — RegistrationMagic 9.8 Critical2026-06-15
CVE-2026-48970 Really Simple Plugins Really Simple SSL 授权问题漏洞 — Really Simple SSL 8.1 High2026-06-15
CVE-2026-42668 Omnisend Email Marketing for WooCommerce 授权问题漏洞 — Email Marketing for WooCommerce by Omnisend 7.5 High2026-06-15
CVE-2026-42411 XServer CloudSecure WP Security 授权问题漏洞 — CloudSecure WP Security 8.1 High2026-06-15
CVE-2026-42378 Themeisle WP Full Stripe Free 授权问题漏洞 — WP Full Stripe Free 6.5 Medium2026-06-15
CVE-2026-40799 RelyWP Simple Cloudflare Turnstile 授权问题漏洞 — Simple Cloudflare Turnstile 5.8 Medium2026-06-15
CVE-2026-40790 VeronaLabs WP SMS 授权问题漏洞 — WP SMS 6.5 Medium2026-06-15
CVE-2026-40785 Ruben Garcia AutomatorWP 授权问题漏洞 — AutomatorWP 7.1 High2026-06-15
CVE-2026-40781 ReviewX 授权问题漏洞 — ReviewX 7.5 High2026-06-15
CVE-2026-39450 Aman FunnelKit Automations 授权问题漏洞 — FunnelKit Automations 7.1 High2026-06-15
CVE-2026-49062 WPEngine Faust.js 授权问题漏洞 — Faust.js 8.8 High2026-06-15
CVE-2026-10523 Ivanti Sentry 安全漏洞 — Sentry 9.9 Critical2026-06-09
CVE-2026-5415 WordPress plugin WP Captcha PRO 安全漏洞 — Advanced Google reCAPTCHA 8.8 High2026-06-05
CVE-2026-40780 WordPress plugin BookIt 安全漏洞 — BookIt 7.5 High2026-06-02
CVE-2026-42654 WordPress plugin Wallet System for WooCommerce 安全漏洞 — Wallet System for WooCommerce 7.1 High2026-06-02
CVE-2026-45577 Neotoma 访问控制错误漏洞 — neotoma--2026-05-29
CVE-2025-41273 Waterfall WF-500 安全漏洞 — WF-500--2026-05-29
CVE-2026-8697 TP-Link Archer C64 安全漏洞 — Archer C64 v1.0--2026-05-28
CVE-2026-8990 View Concept Kidsview 安全漏洞 — Kidsview--2026-05-28
CVE-2026-35090 Slican多款产品 安全漏洞 — CCT-1668--2026-05-27

CWE-288(使用候选路径或通道进行的认证绕过) 是常见的弱点类别,本平台收录该类弱点关联的 489 条 CVE 漏洞。