目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-428 未经引用的搜索路径或元素 类漏洞列表 325

CWE-428 未经引用的搜索路径或元素 类弱点 325 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-428 是未加引号搜索路径或元素漏洞,属于路径处理缺陷。当路径元素含空格且未加引号时,系统可能解析错误,导致访问父目录资源。攻击者可通过在父目录放置恶意文件(如 Program.exe)诱导特权程序执行,从而提升权限。开发者应避免使用含空格的路径,或对路径元素严格加引号,确保解析准确,防止路径遍历和权限提升风险。

MITRE CWE 官方描述
CWE:CWE-428 未加引号的路径或元素 (Unquoted Search Path or Element) 英文:产品使用的搜索路径中包含一个未加引号的元素,该元素包含空格或其他分隔符。这可能导致产品访问父路径中的资源。 如果恶意用户能够访问文件系统,则可以通过插入类似 "C:\Program.exe" 的文件,由使用 WinExec 的特权程序执行,从而实现权限提升。
常见影响 (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
缓解措施 (3)
ImplementationProperly quote the full search path before executing a program on the system.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
The following example demonstrates the weakness.
UINT errCode = WinExec( "C:\\Program Files\\Foo\\Bar", SW_SHOW );
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2025-71326 AVAST Antivirus 25.11 未引用服务路径权限提升漏洞 — AVAST Antivirus 7.8 High2026-06-19
CVE-2023-54353 Chromacam 4.0.3.0 未引用服务路径权限提升漏洞 — Chromacam 7.8 High2026-06-19
CVE-2021-47985 Brother SAPSprint 7.60 未引用服务路径权限提升漏洞 — SAPSprint 7.8 High2026-06-19
CVE-2022-50971 Malwarebytes 4.5 未引用服务路径权限提升漏洞 — Malwarebytes 7.8 High2026-06-19
CVE-2020-37254 Wondershare PDFelement 5.2.9 未引用服务路径提权漏洞 — PDFelement 7.8 High2026-06-19
CVE-2020-37252 Realtek Audio Service 1.0.0.55 未引用服务路径提权漏洞 — Realtek Audio Service 7.8 High2026-06-19
CVE-2020-37253 Winstep 18.06.0096 未引用服务路径提权漏洞 — Winstep 7.8 High2026-06-19
CVE-2020-37251 RealTimes Desktop Service 18.1.4 未加引号服务路径提权漏洞 — RealTimes Desktop Service 7.8 High2026-06-19
CVE-2020-37250 TFTP Broadband 4.3.0.1465 未引用服务路径权限提升漏洞 — TFTP Broadband 7.8 High2026-06-19
CVE-2019-25747 Network Inventory Advisor 5.0.26.0 服务路径未引用提权漏洞 — Network Inventory Advisor 7.8 High2026-06-19
CVE-2016-20095 Matrix42 Remote Control Host 3.20.0031 未引用路径权限提升漏洞 — Matrix42 Remote Control Host 7.8 High2026-06-19
CVE-2016-20093 Wise Care 365 4.27 及 Wise Disk Cleaner 9.29 未引用服务路径权限提升漏洞 — Wisecleaner 7.8 High2026-06-19
CVE-2016-20094 AnyDesk 2.5.0 服务路径未引号漏洞导致提权 — AnyDesk 7.8 High2026-06-19
CVE-2016-20092 NetDrive 2.6.12 未引用服务路径提升权限漏洞 — NetDrive 7.8 High2026-06-19
CVE-2016-20091 Windows Firewall Control 4.8.6.0 未引用服务路径权限提升漏洞 — Windows Firewall Control 7.8 High2026-06-19
CVE-2016-20090 Comodo Dragon 52.15.25.663 服务路径未加引号提权漏洞 — Dragon Browser 7.8 High2026-06-19
CVE-2016-20089 Iperius Remote 1.7.0 未引用服务路径提权漏洞 — Iperius Remote 7.8 High2026-06-19
CVE-2016-20088 Comodo Chromodo Browser 52.15.25.664 权限提升漏洞 — Chromodo Browser 7.8 High2026-06-19
CVE-2016-20086 Vembu StoreGrid 4.0 未引用服务路径权限提升漏洞 — Vembu StoreGrid 7.8 High2026-06-19
CVE-2016-20087 Fortitude HTTP 1.0.4.0 未引用服务路径提权漏洞 — Fortitude HTTP 7.8 High2026-06-19
CVE-2016-20085 Realtek高保真音频驱动6.0.1.6730权限提升漏洞 — Realtek High Definition Audio Driver 7.8 High2026-06-19
CVE-2026-25865 Punto Switcher 4.5.0.583 未引用路径远程代码执行漏洞 — Punto Switcher 7.8 High2026-06-18
CVE-2021-47974 Flexense VX Search 代码问题漏洞 — VX Search 7.8 High2026-05-16
CVE-2020-37247 Kite 代码问题漏洞 — Kite 7.8 High2026-05-16
CVE-2020-37232 IObit Advanced SystemCare Service 代码问题漏洞 — Advanced System Care Service 7.8 High2026-05-16
CVE-2020-37231 Cybertron Privacy Drive 代码问题漏洞 — Privacy Drive 7.8 High2026-05-16
CVE-2020-37230 Syncplify Server 代码问题漏洞 — Syncplify.me Server! 7.8 High2026-05-16
CVE-2020-37229 OKI sPSV Port Manager 代码问题漏洞 — OKI sPSV Port Manager 7.8 High2026-05-16
CVE-2020-37223 IObit Uninstaller 代码问题漏洞 — IObit Uninstaller 7.8 High2026-05-13
CVE-2021-47945 Argus Surveillance Dvr 代码问题漏洞 — Argus Surveillance DVR 7.8 High2026-05-10

CWE-428(未经引用的搜索路径或元素) 是常见的弱点类别,本平台收录该类弱点关联的 325 条 CVE 漏洞。