目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-565 在信任Cookie未进行验证与完整性检查 类漏洞列表 20

CWE-565 在信任Cookie未进行验证与完整性检查 类弱点 20 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-565 属于依赖不可信数据的安全漏洞。攻击者通过篡改或伪造 Cookie 值,诱导系统在未验证身份或完整性的情况下执行关键操作,从而绕过认证或实施越权访问。开发者应避免直接信任 Cookie 数据,需结合服务端会话管理、签名校验及完整性检查机制,确保数据源可信,防止恶意输入影响安全逻辑。

MITRE CWE 官方描述
CWE:CWE-565 依赖 Cookie 而未进行验证和完整性检查 英文:该产品在执行安全关键操作时依赖于 Cookie 的存在或其值,但未正确确保该设置对于关联用户是有效的。
常见影响 (2)
Confidentiality, Integrity, AvailabilityModify Application Data, Execute Unauthorized Code or Commands
Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site …
Access ControlGain Privileges or Assume Identity
It is dangerous to use cookies to set a user's privileges. The cookie can be manipulated to escalate an attacker's privileges to an administrative level.
缓解措施 (4)
Architecture and DesignAvoid using cookie data for a security-related decision.
ImplementationPerform thorough input validation (i.e.: server side validation) on the cookie data if you're going to use it for a security related decision.
Architecture and DesignAdd integrity checks to detect tampering.
Architecture and DesignProtect critical cookies from replay attacks, since cross-site scripting or other attacks may allow attackers to steal a strongly-encrypted cookie that also passes integrity checks. This mitigation applies to cookies that should only be valid during a single transaction or session. By enforcing timeouts, you may limit the scope of an attack. As part of your integrity check, use an unpredictable, s…
代码示例 (1)
The following code excerpt reads a value from a browser cookie to determine the role of the user.
Cookie[] cookies = request.getCookies(); for (int i =0; i< cookies.length; i++) { Cookie c = cookies[i]; if (c.getName().equals("role")) { userRole = c.getValue(); } }
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-39963 Serendipity 安全漏洞 — Serendipity 6.9 Medium2026-04-14
CVE-2026-5130 WordPress plugin Debugger & Troubleshooter 安全漏洞 — Debugger & Troubleshooter 8.8 High2026-03-30
CVE-2014-125112 Plack::Middleware::Session::Cookie 安全漏洞 — Plack::Middleware::Session::Cookie 9.8AICriticalAI2026-03-26
CVE-2022-50926 WAGO 安全漏洞 — WAGO 750-8212 PFC200 9.8 Critical2026-01-13
CVE-2025-14440 WordPress plugin JAY Login & Register 安全漏洞 — JAY Login & Register 9.8 Critical2025-12-13
CVE-2021-47706 COMMAX Biometric Access Control System 安全漏洞 — COMMAX Biometric Access Control System 7.5AIHighAI2025-12-09
CVE-2025-64447 Fortinet FortiWeb 安全漏洞 — FortiWeb 7.1 High2025-12-09
CVE-2025-31120 NamelessMC 安全漏洞 — Nameless 5.3 Medium2025-04-18
CVE-2025-2395 e-Excellence U-Office Force 安全漏洞 — U-Office Force 9.8 Critical2025-03-17
CVE-2024-9970 NewType FlowMaster BPM Plus 安全漏洞 — FlowMaster BPM Plus 8.8 High2024-10-15
CVE-2024-0947 Elektraweb 安全漏洞 — Elektraweb 9.8 Critical2024-06-27
CVE-2024-21872 Electrolink FM/DAB/TV Transmitter 安全漏洞 — Compact DAB Transmitter 7.5 High2024-04-18
CVE-2024-22186 Electrolink FM/DAB/TV Transmitter 安全漏洞 — Compact DAB Transmitter 8.8 High2024-04-18
CVE-2023-32725 Zabbix 安全漏洞 — Zabbix 9.6 Critical2023-12-18
CVE-2023-41084 Socomec MODULYS GP 安全漏洞 — MODULYS GP (MOD3GP-SY-120K) 10.0 Critical2023-09-18
CVE-2021-3818 Grav 访问控制错误漏洞 — getgrav/grav--2021-09-27
CVE-2021-33842 Circutor SGE-PLC1000授权问题漏洞 — SGE-PLC1000 8.8 High2021-06-09
CVE-2021-29624 Fastify 跨站请求伪造漏洞 — fastify-csrf 6.5 Medium2021-05-19
CVE-2020-15128 October CMS 加密问题漏洞 — october 6.1 Medium2020-07-31
CVE-2018-5455 Moxa OnCell G3100-HSPA Series 安全漏洞 — Moxa OnCell G3100-HSPA Series 9.8 -2018-03-05

CWE-565(在信任Cookie未进行验证与完整性检查) 是常见的弱点类别,本平台收录该类弱点关联的 20 条 CVE 漏洞。