目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-35 路径遍历:’…/…//’ 类漏洞列表 161

CWE-35 路径遍历:’…/…//’ 类弱点 161 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-35 属于路径遍历漏洞,指程序使用外部输入构建受限目录内的文件路径时,未正确过滤“.../...//”等双重重定向序列。攻击者利用此缺陷,通过构造特殊路径字符序列绕过安全检查,访问或修改目录外的敏感文件。开发者应避免直接拼接用户输入,需对路径进行严格规范化处理,并实施白名单验证,确保最终解析路径始终位于预期的安全目录范围内。

MITRE CWE 官方描述
CWE:CWE-35 路径遍历:'.../...//' 英文:产品使用外部输入来构建一个应位于受限目录内的路径名,但它未能正确对 '.../...//'(双重重叠点斜杠)序列进行中和,这些序列可能解析到该目录之外的位置。
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
Not properly neutralizing '.../...//' (doubled triple dot slash) allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
缓解措施 (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
Suppose the product serves files from a specific "public" directory -- /home/product/public/ -- and has an algorithm that attempts to protect against common path traversal attacks. The algorithm works by sequentially scanning through a requested filename and removes each occurrence of "../" that it encounters, then appending the filename to the public directory.
../secret.dat
Attack
/home/product/public/secret.dat
Result
CVE ID标题CVSS风险等级Published
CVE-2025-49296 WordPress plugin GrandPrix 安全漏洞 — GrandPrix 8.1 High2025-06-09
CVE-2025-49295 WordPress plugin MediClinic 安全漏洞 — MediClinic 8.1 High2025-06-09
CVE-2025-49297 WordPress plugin Grill and Chow 安全漏洞 — Grill and Chow 8.1 High2025-06-09
CVE-2025-27445 RSJoomla! RSFirewall! 安全漏洞 — RSFirewall component for Joomla 6.5AIMediumAI2025-06-05
CVE-2025-5598 Airleader Master 安全漏洞 — airleader MASTER 7.5AIHighAI2025-06-04
CVE-2025-46441 WordPress plugin Section Widget 安全漏洞 — Section Widget 5.3 Medium2025-05-19
CVE-2025-27010 WordPress plugin Tastyc 安全漏洞 — Tastyc 8.1 High2025-05-19
CVE-2025-39492 WordPress plugin WHMpress 安全漏洞 — WHMpress 7.5 High2025-05-16
CVE-2025-39491 WordPress plugin WHMpress 安全漏洞 — WHMpress 8.1 High2025-05-16
CVE-2025-40573 Siemens SCALANCE LPE9403 安全漏洞 — SCALANCE LPE9403 4.4 Medium2025-05-13
CVE-2025-47649 WordPress plugin Open Close WooCommerce Store 安全漏洞 — Open Close WooCommerce Store 8.8 High2025-05-07
CVE-2025-47636 WordPress plugin List category posts 安全漏洞 — List category posts 7.5 High2025-05-07
CVE-2025-32950 Jmix 安全漏洞 — jmix 6.5 Medium2025-04-22
CVE-2025-39470 WordPress plugin Ivy School 安全漏洞 — Ivy School 8.1 High2025-04-18
CVE-2025-24907 Hitachi Vantara Pentaho Data Integration & Analytics 安全漏洞 — Pentaho Data Integration & Analytics 6.8 Medium2025-04-16
CVE-2025-24908 Hitachi Vantara Pentaho Data Integration & Analytics 安全漏洞 — Pentaho Data Integration & Analytics 6.8 Medium2025-04-16
CVE-2025-39598 WordPress plugin Administrator Z 安全漏洞 — Administrator Z 4.9 Medium2025-04-16
CVE-2025-30966 WordPress plugin WPJobBoard 安全漏洞 — WPJobBoard 5.4 Medium2025-04-15
CVE-2025-32585 WordPress plugin Shop Products Filter 安全漏洞 — Shop Products Filter 7.5 High2025-04-11
CVE-2025-30014 SAP Capital Yield Tax Management 安全漏洞 — SAP Capital Yield Tax Management 7.7 High2025-04-08
CVE-2025-30834 WordPress plugin Bit Assist 安全漏洞 — Bit Assist 7.5 High2025-04-01
CVE-2024-54362 WordPress plugin GetShop ecommerce 安全漏洞 — GetShop ecommerce 8.1 High2025-03-28
CVE-2025-26940 WordPress plugin Pie Register Premium 安全漏洞 — Pie Register Premium 6.3 Medium2025-03-15
CVE-2025-27274 WordPress plugin GPX Viewer 安全漏洞 — GPX Viewer 4.9 Medium2025-03-03
CVE-2025-25122 WordPress plugin WizShop 安全漏洞 — WizShop 8.1 High2025-03-03
CVE-2025-26935 WordPress plugin WP Job Portal 安全漏洞 — WP Job Portal 7.5 High2025-02-25
CVE-2025-26876 WordPress plugin CodeManas Search with Typesense 安全漏洞 — Search with Typesense 6.8 Medium2025-02-25
CVE-2025-26357 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 4.9 Medium2025-02-12
CVE-2025-26356 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 7.2 High2025-02-12
CVE-2025-26355 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 6.5 Medium2025-02-12

CWE-35(路径遍历:’…/…//’) 是常见的弱点类别,本平台收录该类弱点关联的 161 条 CVE 漏洞。