目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

CWE-610 资源在另一范围的外部可控制索引 类漏洞列表 45

CWE-610 资源在另一范围的外部可控制索引 类弱点 45 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-610 属于引用外部资源漏洞,指程序使用外部控制的名称或引用,解析到预期控制范围之外的资源。攻击者通常通过操纵输入,诱导程序访问非预期的文件、网络端点或数据库,从而窃取敏感数据或执行未授权操作。开发者应避免直接拼接用户输入,采用白名单机制严格校验资源标识符,并确保程序仅能访问受控域内的合法资源,以阻断此类攻击路径。

MITRE CWE 官方描述
CWE:CWE-610 Externally Controlled Reference to a Resource in Another Sphere 英文:The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. 译文:该产品使用了由外部控制的名称或引用,该名称或引用解析到的资源超出了预期的控制范围。
常见影响 (2)
Confidentiality, IntegrityRead Application Data, Modify Application Data
An adversary could read or modify data, depending on how the resource is intended to be used.
Access ControlGain Privileges or Assume Identity
An adversary that can supply a reference to an unintended resource can potentially access a resource that they do not have privileges for, thus bypassing existing access control mechanisms.
代码示例 (1)
The following code is a Java servlet that will receive a GET request with a url parameter in the request to redirect the browser to the address specified in the url parameter. The servlet will retrieve the url parameter value from the request and send a response to redirect the browser to the url address.
public class RedirectServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String query = request.getQueryString(); if (query.contains("url")) { String url = request.getParameter("url"); response.sendRedirect(url); } } }
Bad · Java
<a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to log in</a>
Attack · HTML
CVE IDタイトルCVSS深刻度公開日
CVE-2026-34327 Microsoft Partner Center Spoofing Vulnerability — Microsoft Partner Center 8.2 High2026-05-07
CVE-2026-0522 Local File Inclusion in the File Upload/Download Process — VertiGIS FM 8.8AIHighAI2026-04-01
CVE-2026-32008 OpenClaw < 2026.2.21 - Arbitrary Local File Read via Browser Navigation Guard — OpenClaw 6.5 Medium2026-03-19
CVE-2026-28722 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 17 7.8 -2026-03-05
CVE-2026-28721 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect 17 7.8 -2026-03-05
CVE-2025-9065 Rockwell Automation ThinManager® Server-Side Request Forgery Vulnerability — ThinManager 9.6AICriticalAI2025-09-09
CVE-2025-48963 Acronis Cyber Protect Cloud Agent 安全漏洞 — Acronis Cyber Protect Cloud Agent 7.8 -2025-08-28
CVE-2015-10142 Sitecore XP < 8.0 and CMS < 7.2 and < 7.5 File Read via Known Path — Experience Platform (XP) 7.5 -2025-07-25
CVE-2025-2875 Schneider Electric多款产品 安全漏洞 — Modicon Controllers M241 / M251 7.5 High2025-05-14
CVE-2024-13177 Symlink Following in Netskope Client Postinstall Script — Netskope Client 7.8AIHighAI2025-04-15
CVE-2022-23439 Fortinet多款产品 安全漏洞 — FortiTester 4.1 Medium2025-01-22
CVE-2025-22144 Account Takeover in NamelessMC — Nameless 8.1 -2025-01-13
CVE-2024-42168 HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability — DRYiCE MyXalytics 8.9 High2025-01-11
CVE-2024-52792 Arbitrary config values override in lam — lam 6.5 Medium2024-12-17
CVE-2024-47773 Anonymous cache poisoning via XHR requests in Discourse — discourse 8.2 High2024-10-08
CVE-2024-45826 ThinManager® Code Execution Vulnerability — ThinManager 6.8 Medium2024-09-12
CVE-2024-7625 Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking — Nomad 5.8 Medium2024-08-14
CVE-2024-6079 DLL Hijacking Vulnerability Exists in Rockwell Automation Emulate3D™ — Emulate3D™ 7.8AIHighAI2024-08-13
CVE-2024-28962 Dell Update和Dell Alienware Update 安全漏洞 — Dell Update (DU) 6.5 Medium2024-08-06
CVE-2024-29069 snapd will follow archived symlinks when unpacking a filesystem — snapd 4.8 Medium2024-07-25
CVE-2024-6717 Nomad Vulnerable to Allocation Directory Path Escape Through Archive Unpacking — Nomad 7.7 High2024-07-23
CVE-2024-32980 Spin contains a potential network sandbox escape for specifically configured Spin applications — spin 9.1 Critical2024-05-08
CVE-2024-24818 EspoCRM weakness in "Forgot password" — espocrm 5.9 Medium2024-02-29
CVE-2024-24760 Mailcow Docker Container Exposure to Local Network — mailcow-dockerized 8.8 High2024-02-02
CVE-2023-4089 WAGO: Multiple products vulnerable to local file inclusion — Compact Controller CC100 2.7 Low2023-10-17
CVE-2023-44209 Acronis Agent 安全漏洞 — Acronis Cyber Protect Cloud Agent 7.8 -2023-10-04
CVE-2022-46869 Acronis Cyber Protect 后置链接漏洞 — Acronis Cyber Protect Home Office 7.8 -2023-08-31
CVE-2022-46868 Acronis Cyber Protect 安全漏洞 — Acronis Cyber Protect Home Office 7.8 -2023-08-31
CVE-2023-37855 PHOENIX CONTACT: Unauthorized read-access of root filesystem in WP 6xxx Web panels — WP 6070-WVPS 4.3 Medium2023-08-09
CVE-2023-37856 PHOENIX CONTACT: Unauthorized read-access of root filesystem in WP 6xxx Web panels — WP 6070-WVPS 4.3 Medium2023-08-09

CWE-610(资源在另一范围的外部可控制索引) 是常见的弱点类别,本平台收录该类弱点关联的 45 条 CVE 漏洞。