Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-360 (信任系统事件数据) — Vulnerability Class 2

2 vulnerabilities classified as CWE-360 (信任系统事件数据). AI Chinese analysis included.

CWE-360 represents a trust relationship weakness where applications incorrectly rely on unverified system event data for critical security decisions. This vulnerability arises because event messaging systems, such as Windows messages, often lack robust authentication frameworks, allowing any process on a desktop to spoof messages intended for other windows. Attackers typically exploit this by injecting malicious event data to trick applications into performing unauthorized actions, such as elevating privileges or bypassing access controls. To mitigate this risk, developers must implement strict validation mechanisms that verify the source and integrity of incoming events rather than assuming their authenticity. Utilizing authenticated channels, digital signatures, or secure inter-process communication protocols ensures that only trusted entities can trigger sensitive operations, thereby preventing spoofing attacks and maintaining system integrity against malicious actors seeking to manipulate event-driven workflows.

MITRE CWE Description
Security based on event locations are insecure and can be spoofed. Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access ControlGain Privileges or Assume Identity, Execute Unauthorized Code or Commands
If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.
Mitigations (1)
Architecture and DesignNever trust or rely any of the information in an Event for security.
Examples (1)
This example code prints out secret information when an authorized user activates a button:
public void actionPerformed(ActionEvent e) { if (e.getSource() == button) { System.out.println("print out secret information"); } }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-3371 Insufficient validation of external input in Compass may enable MITM attacks — MongoDB Compass 7.1 High2024-04-24
CVE-2017-0911 Twitter Kit for iOS Login with Twitter组件安全漏洞 — Twitter Kit for iOS 7.1 -2018-02-09

Vulnerabilities classified as CWE-360 (信任系统事件数据) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.