Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-424 (对候选路径的不恰当保护) — Vulnerability Class 28

28 vulnerabilities classified as CWE-424 (对候选路径的不恰当保护). AI Chinese analysis included.

CWE-424, Improper Protection of Alternate Path, is a security weakness where a system fails to adequately secure all potential access routes to restricted resources or functionality. This vulnerability typically arises when developers implement access controls for primary interfaces but neglect secondary channels, such as administrative backdoors, debug modes, or alternative API endpoints. Attackers exploit this oversight by bypassing standard authentication mechanisms through these unprotected alternate paths, gaining unauthorized access to sensitive data or system privileges. To mitigate this risk, developers must adopt a comprehensive security architecture that enforces consistent access control policies across every possible interaction point. This involves rigorous threat modeling to identify all entry vectors, coupled with automated testing to verify that no alternate paths remain exposed. By ensuring uniform protection standards, organizations can prevent attackers from circumventing security measures through overlooked system components.

MITRE CWE Description
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
Common Consequences (1)
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Mitigations (1)
Architecture and DesignDeploy different layers of protection to implement security in depth.
CVE IDTitleCVSSSeverityPublished
CVE-2026-4913 Ivanti Neurons for ITSM 安全漏洞 — Neurons for ITSM (On-Premise) 5.7 Medium2026-04-14
CVE-2026-4270 AWS API MCP File Access Restriction Bypass — AWS API MCP Server 5.5 Medium2026-03-16
CVE-2025-68939 Gitea 安全漏洞 — Gitea 8.2 High2025-12-26
CVE-2025-4617 Prisma Browser: Insufficient Policy Enforcement Vulnerability in Prisma Browser — Prisma Browser 5.5 -2025-11-14
CVE-2025-58079 NEOJAPAN desknets NEO 安全漏洞 — desknet's NEO 8.1AIHighAI2025-10-16
CVE-2025-6250 Privilege Management for Windows - Elevation of Privilege — Privilege Management for Windows 8.8AIHighAI2025-07-28
CVE-2025-49162 Arris VIP1113 安全漏洞 — VIP1113 6.4 Medium2025-06-02
CVE-2025-49163 Arris VIP1113 安全漏洞 — VIP1113 6.7 Medium2025-06-02
CVE-2025-48828 Internet Brands vBulletin 安全漏洞 — vBulletin 9.0 Critical2025-05-27
CVE-2025-48827 Internet Brands vBulletin 安全漏洞 — vBulletin 10.0 Critical2025-05-27
CVE-2025-46654 CodiMD 安全漏洞 — CodiMD 4.9 Medium2025-04-26
CVE-2025-46655 CodiMD 安全漏洞 — CodiMD 4.9 Medium2025-04-26
CVE-2024-58136 Yii 安全漏洞 — Yii 9.0 Critical2025-04-10
CVE-2025-0113 Cortex XDR Broker VM: Unauthorized Access to Broker VM Docker Containers — Cortex XDR Broker VM 7.4 -2025-02-12
CVE-2023-52952 Siemens HiMed Cockpit 安全漏洞 — HiMed Cockpit 12 pro 8.5 High2024-10-08
CVE-2024-8311 Improper Protection of Alternate Path in GitLab — GitLab 6.5 Medium2024-09-12
CVE-2024-3927 Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.6.3 - Form Submission Admin Email Bypass — Element Pack – Widgets, Templates & Addons for Elementor 5.3 Medium2024-05-22
CVE-2024-3460 KioWare 安全漏洞 — Kioware 7.4 High2024-05-09
CVE-2024-3459 KioWare 安全漏洞 — Kioware 8.4 High2024-05-09
CVE-2023-20272 Cisco Identity Services Engine 安全漏洞 — Cisco Identity Services Engine Software 6.7 Medium2023-11-21
CVE-2023-46176 IBM MQ privilege escalation — MQ Appliance 6.7 Medium2023-11-03
CVE-2023-0629 Docker Desktop before 4.17.0 allows an unprivileged user to bypass Enhanced Container Isolation restrictions via the raw Docker socket and launch privileged containers — Docker Desktop 7.1 High2023-03-13
CVE-2022-1742 2.2.4 IMPROPER PROTECTION OF ALTERNATE PATH CWE-424 — ImageCast X application 6.8 -2022-06-24
CVE-2022-28782 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.6 Medium2022-05-03
CVE-2022-24932 Samsung Setup wizard process安全漏洞 — Samsung Mobile Devices 4.2 Medium2022-03-08
CVE-2021-3793 Binatone Motorola-branded Camera 安全漏洞 — Binatone Hubble Cameras 6.5 Medium2021-11-12
CVE-2019-18996 ABB PB610 HMIStudio accepts malicious DLL file in an application — PB610 Panel Builder 600 7.1 High2019-12-18
CVE-2019-18997 PB610 HMISimulator provides interface with access to arbitrary files — PB610 Panel Builder 600 4.3 Medium2019-12-18

Vulnerabilities classified as CWE-424 (对候选路径的不恰当保护) represent 28 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.