目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-669 在范围间的资源转移不正确 类漏洞列表 45

CWE-669 在范围间的资源转移不正确 类弱点 45 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-669属于资源跨域转移不当漏洞,指产品在将资源或行为从一个安全域转移至另一个域时,未正确实施控制,导致意外获得对该资源的控制权。攻击者通常利用此缺陷,通过操纵跨域数据或调用,绕过安全边界以执行特权操作或注入恶意逻辑。开发者应避免在域间传递未经验证的数据,实施严格的访问控制与输入校验,并确保跨域交互时遵循最小权限原则,以阻断非法控制路径。

MITRE CWE 官方描述
CWE:CWE-669 跨域资源传输错误 英文:产品未能正确地将资源/行为传输到另一个域,或未能正确地从另一个域导入资源/行为,从而以提供对该资源的非预期控制的方式进行处理。
常见影响 (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data, Unexpected State
代码示例 (2)
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
<form action="FileUploadServlet" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>
Good · HTML
public class FileUploadServlet extends HttpServlet { ... protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String contentType = request.getContentType(); // the starting position of the boundary header int ind = contentType.indexOf("boundary="); String boundary = contentType.substring(ind+9); String pLine = new String(); String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value // verify that content type is multipart form data i
Bad · Java
This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
//assume the password is already encrypted, avoiding CWE-312 function authenticate($username,$password){ include("http://external.example.com/dbInfo.php"); //dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysql_select_db($dbname); $query = 'Select * from users where username='.$username.' And password='.$password; $result = mysql_query($query); if(mysql_numrows($result) == 1){ mysql_close(); return true; } else{ mysql_close(); return false; } }
Bad · PHP
CVE ID标题CVSS风险等级Published
CVE-2026-44599 Tor多个版本BEGIN_DIR绕过漏洞 — Tor 3.7 Low2026-05-07
CVE-2026-42997 OpenStack Ironic多版本身份验证绕过漏洞 — Ironic 7.7 High2026-05-05
CVE-2026-40552 BinSoft mpGabinet 安全漏洞 — mpGabinet 8.0AIHighAI2026-04-28
CVE-2026-41525 Dolphin 安全漏洞 — Dolphin 6.5 Medium2026-04-28
CVE-2026-41030 DesktopEditors 安全漏洞 — ONLYOFFICE DesktopEditors 6.2 Medium2026-04-16
CVE-2026-40228 systemd 安全漏洞 — systemd 2.9 Low2026-04-10
CVE-2026-40225 systemd 安全漏洞 — systemd 6.4 Medium2026-04-10
CVE-2026-35545 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35544 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35543 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35542 Roundcube Webmail 安全漏洞 — Webmail 5.3 Medium2026-04-03
CVE-2026-35540 Roundcube Webmail 安全漏洞 — Webmail 5.4 Medium2026-04-03
CVE-2025-41660 CODESYS Control runtime system 安全漏洞 — CODESYS Control RTE (SL) 8.8 High2026-03-24
CVE-2026-33265 LibreChat 安全漏洞 — LibreChat 6.3 Medium2026-03-18
CVE-2026-32772 GNU Inetutils 安全漏洞 — inetutils 3.4 Low2026-03-13
CVE-2026-24708 OpenStack Nova 安全漏洞 — Nova 8.2 High2026-02-18
CVE-2026-25253 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-02-01
CVE-2025-67895 Apache Airflow 安全漏洞 — Apache Airflow Providers Edge3 8.8AIHighAI2025-12-17
CVE-2025-62775 Mercku M6a 安全漏洞 — M6a 8.0 High2025-10-22
CVE-2025-62646 Restaurant Brands International assistant platform 安全漏洞 — assistant platform 5.0 Medium2025-10-17
CVE-2024-31573 XMLUnit 安全漏洞 — XMLUnit for Java 4.0 Medium2025-10-17
CVE-2025-62292 SonarQube 安全漏洞 — SonarQube 4.3 Medium2025-10-10
CVE-2025-56675 EKEN video doorbell T6 安全漏洞 — video doorbell T6 3.5 Low2025-09-30
CVE-2025-59691 PureVPN 安全漏洞 — PureVPN 3.7 Low2025-09-18
CVE-2025-59692 PureVPN 安全漏洞 — PureVPN 3.7 Low2025-09-18
CVE-2025-59453 Click Studios Passwordstate 安全漏洞 — Passwordstate 3.2 Low2025-09-16
CVE-2025-59378 GNU Guix 安全漏洞 — Guix 5.7 Medium2025-09-15
CVE-2025-59363 One Identity OneLogin 安全漏洞 — OneLogin 7.7 High2025-09-14
CVE-2025-34158 Plex Media Server 安全漏洞 — Media Server 8.5 High2025-08-21
CVE-2025-54956 gh 安全漏洞 — gh 3.2 Low2025-08-03

CWE-669(在范围间的资源转移不正确) 是常见的弱点类别,本平台收录该类弱点关联的 45 条 CVE 漏洞。