Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-346 (源验证错误) — Vulnerability Class 159

159 vulnerabilities classified as CWE-346 (源验证错误). AI Chinese analysis included.

CWE-346, Origin Validation Error, represents a critical weakness where software fails to adequately verify the authenticity or legitimacy of data sources and communication endpoints. Attackers typically exploit this vulnerability by spoofing trusted origins, such as forging HTTP headers or manipulating network packets to appear as if they originate from a legitimate internal system. This deception allows adversaries to bypass security controls, execute unauthorized actions, or inject malicious payloads that the application blindly trusts. To mitigate this risk, developers must implement robust validation mechanisms that strictly verify the source of incoming requests. This includes checking cryptographic signatures, validating domain names against a whitelist, and ensuring that sensitive operations are only performed when the origin is explicitly confirmed. By enforcing strict origin verification, organizations can prevent unauthorized access and maintain the integrity of their application logic against sophisticated spoofing attacks.

MITRE CWE Description
The product does not properly verify that the source of data or communication is valid.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Examples (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2025-2346 IROAD Dash Cam X5/Dash Cam X6 Domain origin validation — Dash Cam X5 5.6 Medium2025-03-16
CVE-2025-25306 Misskey's Incomplete Patch of CVE-2024-52591 Leads to Forgery of Federated Notes — misskey 9.3 Critical2025-03-10
CVE-2025-25302 Rembg CORS misconfiguration — rembg 5.9 -2025-03-03
CVE-2025-1102 Q-Free MAXTIME Suite 访问控制错误漏洞 — MaxTime 5.5 Medium2025-02-12
CVE-2024-55948 Anonymous cache poisoning via XHR requests in Discourse — discourse 8.2 High2025-02-04
CVE-2025-23023 Anonymous cache poisoning via request headers in Discourse — discourse 8.2 High2025-02-04
CVE-2024-57965 Axios 安全漏洞 — axios--2025-01-29
CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response — vite 6.5 Medium2025-01-20
CVE-2023-46715 Fortinet FortiOS 访问控制错误漏洞 — FortiProxy 4.7 Medium2025-01-14
CVE-2024-55917 Trend Micro Apex One 安全漏洞 — Trend Micro Apex One 7.8 High2024-12-31
CVE-2024-10534 Improper Access Control in Dataprom Informatics' PACS-ACSS — Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS) 9.8AICriticalAI2024-11-15
CVE-2024-6674 Data Leak through CORS Misconfiguration in parisneo/lollms-webui — parisneo/lollms-webui 7.1AIHighAI2024-10-29
CVE-2024-23458 Local Privilege Escalation on Zscaler Client Connector on Windows — Client Connector 7.3 High2024-08-06
CVE-2024-22062 Permissions and Access Control Vulnerability in ZTE ZXCLOUD IRAI — ZXCLOUD IRAI 6.3 Medium2024-07-09
CVE-2024-5549 Data leak through CORS misconfiguration in stitionai/devika — stitionai/devika 8.2 -2024-07-09
CVE-2024-36421 GHSL-2023-234: Flowise Cors Misconfiguration in packages/server/src/index.ts — Flowise 7.5 High2024-07-01
CVE-2024-6301 Origin Validation Error in Conduit — Conduit 5.3 Medium2024-06-25
CVE-2024-5905 Cortex XDR Agent: Local Windows User Can Disrupt Functionality of the Agent — Cortex XDR Agent 7.1AIHighAI2024-06-12
CVE-2024-28883 BIG-IP APM browser network access VPN client vulnerability — BIG-IP Edge Client 7.4 High2024-05-08
CVE-2024-2377 Hitachi Energy SDM600 安全漏洞 — SDM600 7.6 High2024-04-30
CVE-2024-1249 Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos 7.4 High2024-04-17
CVE-2023-5973 Truncated port name — Fabric OS 4.3 Medium2024-04-05
CVE-2024-2182 Ovn: insufficient validation of bfd packets may lead to denial of service 6.5 Medium2024-03-12
CVE-2024-25996 PHOENIX CONTACT: Remote code execution due to an origin validation error in CHARX Series — CHARX SEC-3000 5.3 Medium2024-03-12
CVE-2023-30996 IBM Cognos Analytics cross-origin resource sharing — Cognos Analytics 5.3 Medium2024-02-24
CVE-2024-25124 Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials — fiber 9.4 Critical2024-02-21
CVE-2024-26135 MeshCentral cross-site websocket hijacking (CSWSH) vulnerability — MeshCentral 8.4 High2024-02-20
CVE-2024-24782 HIMA: Origin Validation Error in multiple products — F30 03X YY (COM) 4.3 Medium2024-02-13
CVE-2024-24557 Moby classic builder cache poisoning — moby 6.9 Medium2024-02-01
CVE-2023-20275 Cisco Adaptive Security Appliance 和 Firepower Threat Defense 安全漏洞 — Cisco Adaptive Security Appliance (ASA) Software 4.1 Medium2023-12-12

Vulnerabilities classified as CWE-346 (源验证错误) represent 159 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.