Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-346 (源验证错误) — Vulnerability Class 159

159 vulnerabilities classified as CWE-346 (源验证错误). AI Chinese analysis included.

CWE-346, Origin Validation Error, represents a critical weakness where software fails to adequately verify the authenticity or legitimacy of data sources and communication endpoints. Attackers typically exploit this vulnerability by spoofing trusted origins, such as forging HTTP headers or manipulating network packets to appear as if they originate from a legitimate internal system. This deception allows adversaries to bypass security controls, execute unauthorized actions, or inject malicious payloads that the application blindly trusts. To mitigate this risk, developers must implement robust validation mechanisms that strictly verify the source of incoming requests. This includes checking cryptographic signatures, validating domain names against a whitelist, and ensuring that sensitive operations are only performed when the origin is explicitly confirmed. By enforcing strict origin verification, organizations can prevent unauthorized access and maintain the integrity of their application logic against sophisticated spoofing attacks.

MITRE CWE Description
The product does not properly verify that the source of data or communication is valid.
Common Consequences (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Examples (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2023-49803 @koa/cors has overly permissive origin policy — cors 8.6 High2023-12-11
CVE-2023-28794 PAC Files Exposed to Internet Websites — Client Connector 4.3 Medium2023-11-06
CVE-2023-28795 Client IPC validation bypass — Client Connector 7.8 High2023-10-23
CVE-2021-26737 Privilege Escalation Using PID Reuse in ZCC macOS — Client Connector 5.5 Medium2023-10-23
CVE-2021-26735 Untrusted Search Path While Executing REG DELETE by Uninstaller — Client Connector 6.7 Medium2023-10-23
CVE-2023-44190 Junos OS Evolved: PTX10001, PTX10004, PTX10008, PTX10016: MAC address validation bypass vulnerability — Junos OS Evolved 6.1 Medium2023-10-11
CVE-2023-44189 Junos OS Evolved: PTX10003 Series: MAC address validation bypass vulnerability — Junos OS Evolved 6.1 Medium2023-10-11
CVE-2023-3654 Origin Check Bypass — cashIT! - serving solutions. 9.4 Critical2023-10-03
CVE-2023-3581 WebSockets accept connections from HTTPS origin — Mattermost 6.2 Medium2023-07-17
CVE-2023-2639 Rockwell Automation FactoryTalk System Services Vulnerable to Sensitive Information Disclosure — FactoryTalk System Services 4.1 Medium2023-06-13
CVE-2022-45139 WAGO: Origin validation error through CORS misconfiguration — Compact Controller CC100 (751-9301) 5.3 Medium2023-02-27
CVE-2022-41961 BigBlueButton subject to Ineffective user bans — bigbluebutton 4.3 Medium2022-12-16
CVE-2022-41924 Tailscale Windows daemon is vulnerable to RCE via CSRF — tailscale 8.8 -2022-11-23
CVE-2022-3457 Origin Validation Error in ikus060/rdiffweb — ikus060/rdiffweb 8.8 -2022-10-13
CVE-2022-23764 TERUTEN WebCube update remote code execution vulnerability — WebCube 8.8 High2022-08-17
CVE-2022-23763 DOUZONE BIZON NeoRS file download and execute vulnerability — NeoRS 7.8 High2022-06-28
CVE-2022-1747 Dominion Voting Systems ImageCast X 访问控制错误漏洞 — ImageCast X firmware 4.6 -2022-06-24
CVE-2022-30228 Siemens SICAM GridEdge Essential 访问控制错误漏洞 — SICAM GridEdge (Classic) 8.8 High2022-06-14
CVE-2022-29818 Jetbrains JetBrains IntelliJ IDEA 访问控制错误漏洞 — IntelliJ IDEA 3.9 Low2022-04-28
CVE-2021-32985 AVEVA System Platform Origin Validation Error — AVEVA System Platform 7.2 High2022-04-04
CVE-2022-23032 F5 BIG-IP APM 访问控制错误漏洞 — BIG-IP Edge Client for Mac and Windows 8.2 -2022-01-25
CVE-2020-9060 Silicon Labs Z-Wave Chipsets 资源管理错误漏洞 — ZEN25 6.5 -2022-01-07
CVE-2021-39185 Default CORS config allows any origin with credentials — http4s 9.1 Critical2021-09-01
CVE-2020-15734 Same-origin policy vulnerability in Bitdefender Safepay — Safepay 5.5 Medium2021-04-12
CVE-2021-20199 Podman onwards 访问控制错误漏洞 — podman 5.9 -2021-02-02
CVE-2020-26251 CORS configuration is possibly vulnerable — open-zaak 4.7 Medium2020-12-18
CVE-2020-15733 URL Spoofing Vulnerability in Bitdefender SafePay (VA-8958) — Antivirus Plus 6.5 Medium2020-12-14
CVE-2020-26234 Disabled Hostname Verification in OpenCast — opencast 4.8 Medium2020-12-08
CVE-2020-26253 .dev domains treated as local in Kirby — kirby 6.8 Medium2020-12-08
CVE-2020-14519 Wibu CodeMeter WebSockets API 访问控制错误漏洞 — CodeMeter 7.5 -2020-09-16

Vulnerabilities classified as CWE-346 (源验证错误) represent 159 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.