Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-472 (对假设不可变Web参数的外部可控制) — Vulnerability Class 79

79 vulnerabilities classified as CWE-472 (对假设不可变Web参数的外部可控制). AI Chinese analysis included.

CWE-472 represents a logic flaw where web applications incorrectly assume certain input parameters are immutable, such as hidden form fields, cookies, or URL arguments, despite being fully controllable by external users. Attackers typically exploit this weakness by manipulating these trusted values to bypass authorization checks, alter business logic, or escalate privileges, effectively tricking the server into processing unauthorized actions. To mitigate this risk, developers must avoid relying on client-side data for security-critical decisions. Instead, they should enforce server-side validation for all inputs, ensuring that any parameter influencing application state is rigorously verified against expected values. By treating all user-supplied data as untrusted, regardless of its origin or apparent immutability, developers can prevent attackers from subverting application logic through simple parameter tampering.

MITRE CWE Description
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. If a web product does not properly protect assumed-immutable values from modification in hidden form fields, parameters, cookies, or URLs, this can lead to modification of critical data. Web applications often mistakenly make the assumption that data passed to the client in hidden fields or cookies is not susceptible to tampering. Improper validation of data that are user-controllable can lead to the application processing incorrect, and often malicious, input. For example, custom cookies commonly store session data or persistent data across sessions. This kind of session data is normally involved in security related decisions on the server side, such as user authentication and access control. Thus, the cookies might contain sensitive data such as user credentials and privileges. This is a dangerous practice, as it can often lead to improper reliance on the value of the client-provided cookie by the server side application.
Common Consequences (1)
IntegrityModify Application Data
Without appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security related decisions on the server side, manipulating the cook…
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (2)
In this example, a web application uses the value of a hidden form field (accountID) without having done any input validation because it was assumed to be immutable.
String accountID = request.getParameter("accountID"); User user = getUserFromID(Long.parseLong(accountID));
Bad · Java
Hidden fields should not be trusted as secure parameters.
<input type="hidden"
Bad · HTML
CVE IDTitleCVSSSeverityPublished
CVE-2025-66385 Cerebrate 安全漏洞 — Cerebrate 8.8 -2025-11-28
CVE-2025-10891 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-09-24
CVE-2025-10892 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-09-24
CVE-2025-54551 FUJIFILM Synapse Mobility 安全漏洞 — Synapse Mobility 4.3 Medium2025-08-20
CVE-2025-54832 OPEXUS FOIAXpress Public Access Link (PAL) state and territory list unauthorized modification — FOIAXpress Public Access Link (PAL) 4.3 Medium2025-07-31
CVE-2025-8198 MinimogWP – The High Converting eCommerce WordPress Theme <= 3.9.0 - Unauthenticated Price Manipulation — MinimogWP – The High Converting eCommerce WordPress Theme 7.5 High2025-07-26
CVE-2025-7656 Google Chrome 安全漏洞 — Chrome 8.8 -2025-07-15
CVE-2025-6191 Google chrome 安全漏洞 — Chrome 8.8AIHighAI2025-06-18
CVE-2025-43002 Missing Authorization check in SAP S4/HANA (OData meta-data property) — SAP S4/HANA (OData meta-data property) 4.3 Medium2025-05-13
CVE-2025-47817 Checkmate 安全漏洞 — Checkmate 8.8 High2025-05-10
CVE-2025-35939 Craft CMS stores user-provided content in session files — CMS 5.3 Medium2025-05-07
CVE-2025-47245 Checkmate 安全漏洞 — Checkmate 8.1 High2025-05-03
CVE-2025-3743 Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation — Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. 5.3 Medium2025-04-25
CVE-2025-3530 WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation — Simple Shopping Cart 7.5 High2025-04-23
CVE-2025-31327 OData meta-data property entity tampering in SAP Field Logistics — SAP Field Logistics 4.3 Medium2025-04-22
CVE-2025-32816 CourseLit 安全漏洞 — CourseLit 3.1 Low2025-04-11
CVE-2025-31333 Odata meta-data tampering in SAP S4CORE entity — SAP S4CORE entity 4.3 Medium2025-04-08
CVE-2025-30152 Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout — PayPalPlugin 6.5 Medium2025-03-19
CVE-2025-30236 Shearwater SecurEnvoy SecurAccess Enrol 安全漏洞 — SecurAccess 8.6 High2025-03-19
CVE-2025-29788 Sylius PayPal Plugin Payment Amount Manipulation Vulnerability — PayPalPlugin 6.5 Medium2025-03-17
CVE-2025-26312 SendQuick Entera 安全漏洞 — Entera 9.1 -2025-03-14
CVE-2025-27893 Archer Platform 安全漏洞 — Archer 1.8 Low2025-03-11
CVE-2025-0436 Google Chrome 安全漏洞 — Chrome 8.8 -2025-01-15
CVE-2025-22384 Optimizely Configured Commerce 安全漏洞 — n/a 5.3 -2025-01-04
CVE-2024-50703 TeamPass 安全漏洞 — TeamPass 5.4 Medium2024-12-30
CVE-2024-12123 Unauthorized Modification of Ticket Requester — Issuetrak 4.3 -2024-12-04
CVE-2024-7025 Microsoft Edge 安全漏洞 — Chrome 8.8 -2024-11-27
CVE-2024-9123 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2024-09-24
CVE-2024-6010 Cost Calculator Builder PRO <= 3.2.1 - Unauthenticated Price Manipulation — Cost Calculator Builder PRO 5.3 Medium2024-09-07
CVE-2023-38520 WordPress Pinpoint Booking System plugin <= 2.9.9.3.4 - Parameter Tampering — Pinpoint Booking System 6.5 Medium2024-06-04

Vulnerabilities classified as CWE-472 (对假设不可变Web参数的外部可控制) represent 79 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.