目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-35 路径遍历:’…/…//’ 类漏洞列表 161

CWE-35 路径遍历:’…/…//’ 类弱点 161 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-35 属于路径遍历漏洞,指程序使用外部输入构建受限目录内的文件路径时,未正确过滤“.../...//”等双重重定向序列。攻击者利用此缺陷,通过构造特殊路径字符序列绕过安全检查,访问或修改目录外的敏感文件。开发者应避免直接拼接用户输入,需对路径进行严格规范化处理,并实施白名单验证,确保最终解析路径始终位于预期的安全目录范围内。

MITRE CWE 官方描述
CWE:CWE-35 路径遍历:'.../...//' 英文:产品使用外部输入来构建一个应位于受限目录内的路径名,但它未能正确对 '.../...//'(双重重叠点斜杠)序列进行中和,这些序列可能解析到该目录之外的位置。
常见影响 (1)
Confidentiality, IntegrityRead Files or Directories, Modify Files or Directories, Bypass Protection Mechanism
Not properly neutralizing '.../...//' (doubled triple dot slash) allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
缓解措施 (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
Effectiveness: High
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
Suppose the product serves files from a specific "public" directory -- /home/product/public/ -- and has an algorithm that attempts to protect against common path traversal attacks. The algorithm works by sequentially scanning through a requested filename and removes each occurrence of "../" that it encounters, then appending the filename to the public directory.
../secret.dat
Attack
/home/product/public/secret.dat
Result
CVE ID标题CVSS风险等级Published
CVE-2025-26354 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 7.2 High2025-02-12
CVE-2025-26353 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 4.9 Medium2025-02-12
CVE-2025-26352 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 6.5 Medium2025-02-12
CVE-2025-26351 Q-Free MAXTIME Suite 安全漏洞 — MaxTime 4.9 Medium2025-02-12
CVE-2025-24786 WhoDB 安全漏洞 — whodb 10.0 Critical2025-02-06
CVE-2025-0858 HP Poly Edge E Series 安全漏洞 — Certain Poly Devices 7.5 -2025-02-05
CVE-2025-22205 Admiror Gallery 安全漏洞 — Admiror Gallery component for Joomla 7.5 -2025-02-04
CVE-2025-24685 WordPress plugin Morkva UA Shipping 安全漏洞 — Morkva UA Shipping 8.1 High2025-01-27
CVE-2025-22786 WordPress plugin ElementInvader Addons for Elementor 安全漏洞 — ElementInvader Addons for Elementor 7.5 High2025-01-15
CVE-2024-49249 WordPress plugin SMSA Shipping 安全漏洞 — SMSA Shipping 8.6 High2025-01-07
CVE-2024-56045 WordPress plugin WPLMS 安全漏洞 — WPLMS 9.3 Critical2024-12-31
CVE-2024-56213 WordPress plugin Eventin 安全漏洞 — Eventin 6.5 Medium2024-12-31
CVE-2024-56214 WordPress plugin Userpro 安全漏洞 — Userpro 8.3 High2024-12-31
CVE-2023-7263 Huawei HarmonyOS AILife Solution 安全漏洞 — HarmonyOS AILife Solution 8.0 7.3 High2024-12-28
CVE-2023-7300 Huawei HarmonyOS AILife Solution 安全漏洞 — HarmonyOS AILife Solution 8.0 8.0 High2024-12-26
CVE-2024-56049 WordPress plugin WPLMS 安全漏洞 — WPLMS 8.5 High2024-12-18
CVE-2024-56055 WordPress plugin WPLMS 安全漏洞 — WPLMS 8.5 High2024-12-18
CVE-2024-54313 WordPress plugin FULL Customer 安全漏洞 — FULL Customer 6.5 Medium2024-12-13
CVE-2024-21575 ComfyUI-Impact-Pack 产品安全漏洞 — ComfyUI-Impact-Pack 8.6 High2024-12-12
CVE-2024-54216 WordPress plugin ARForms 安全漏洞 — ARForms 7.7 High2024-12-06
CVE-2024-52498 WordPress plugin SP Blog Designer 安全漏洞 — SP Blog Designer 7.5 High2024-11-28
CVE-2024-10857 WordPress plugin Product Input Fields for WooCommerce 安全漏洞 — Product Input Fields for WooCommerce 6.5 Medium2024-11-26
CVE-2024-50054 mySCADA myPRO 安全漏洞 — myPRO Manager 7.5 High2024-11-22
CVE-2024-52447 WordPress plugin Contact Page With Google Map 安全漏洞 — Contact Page With Google Map 8.6 High2024-11-20
CVE-2024-52390 WordPress plugin CYAN Backup 安全漏洞 — CYAN Backup 4.9 Medium2024-11-18
CVE-2020-26073 Cisco?SD-WAN vManage 信息泄露漏洞 — Cisco Catalyst SD-WAN Manager 7.5 High2024-11-18
CVE-2021-1132 Cisco?Network Services Orchestrator 安全漏洞 — Cisco Network Services Orchestrator 5.3 Medium2024-11-18
CVE-2024-41973 WAGO多款产品 安全漏洞 — CC100 0751-9x01 8.1 High2024-11-18
CVE-2024-41972 WAGO多款产品 安全漏洞 — CC100 0751-9x01 6.5 Medium2024-11-18
CVE-2024-11136 TCL Camera 安全漏洞 — Camera 9.1AICriticalAI2024-11-14

CWE-35(路径遍历:’…/…//’) 是常见的弱点类别,本平台收录该类弱点关联的 161 条 CVE 漏洞。