Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-669 (在范围间的资源转移不正确) — Vulnerability Class 45

45 vulnerabilities classified as CWE-669 (在范围间的资源转移不正确). AI Chinese analysis included.

CWE-669 represents a critical architectural weakness where a system fails to properly manage the transfer of resources or behaviors between distinct security spheres, such as moving data from an untrusted network zone to a trusted internal environment. Attackers typically exploit this flaw by manipulating the context or metadata during the transition, thereby gaining unintended control over the resource or executing malicious code within a higher-privilege domain. This often occurs when boundary checks are insufficient or when trust assumptions are incorrectly applied across zones. To mitigate this risk, developers must implement rigorous validation and sanitization protocols at every sphere boundary. By strictly enforcing access controls and verifying the integrity of transferred data, engineers can prevent unauthorized privilege escalation and ensure that resources remain confined to their intended operational contexts, effectively neutralizing the potential for cross-sphere exploitation.

MITRE CWE Description
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.
Common Consequences (1)
Confidentiality, IntegrityRead Application Data, Modify Application Data, Unexpected State
Examples (2)
The following code demonstrates the unrestricted upload of a file with a Java servlet and a path traversal vulnerability. The action attribute of an HTML form is sending the upload file request to the Java servlet.
<form action="FileUploadServlet" method="post" enctype="multipart/form-data"> Choose a file to upload: <input type="file" name="filename"/> <br/> <input type="submit" name="submit" value="Submit"/> </form>
Good · HTML
public class FileUploadServlet extends HttpServlet { ... protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String contentType = request.getContentType(); // the starting position of the boundary header int ind = contentType.indexOf("boundary="); String boundary = contentType.substring(ind+9); String pLine = new String(); String uploadLocation = new String(UPLOAD_DIRECTORY_STRING); //Constant value // verify that content type is multipart form data i
Bad · Java
This code includes an external script to get database credentials, then authenticates a user against the database, allowing access to the application.
//assume the password is already encrypted, avoiding CWE-312 function authenticate($username,$password){ include("http://external.example.com/dbInfo.php"); //dbInfo.php makes $dbhost, $dbuser, $dbpass, $dbname available mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); mysql_select_db($dbname); $query = 'Select * from users where username='.$username.' And password='.$password; $result = mysql_query($query); if(mysql_numrows($result) == 1){ mysql_close(); return true; } else{ mysql_close(); return false; } }
Bad · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2025-54352 WordPress 安全漏洞 — WordPress 3.7 Low2025-07-21
CVE-2025-54310 qBittorrent 安全漏洞 — qBittorrent 4.0 Medium2025-07-18
CVE-2025-41645 SMA: Sunny Portal demo system privilege escalation — www.sunnyportal.com 8.6 High2025-05-13
CVE-2025-26698 J’s Communication RevoWorks Browser和J’s Communication RevoWorks SCVX 安全漏洞 — RevoWorks SCVX 7.5 -2025-02-26
CVE-2024-38519 yt-dlp and youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization — yt-dlp 7.8 High2024-07-02
CVE-2024-37891 Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3 — urllib3 4.4 Medium2024-06-17
CVE-2024-29018 External DNS requests from 'internal' networks could lead to data exfiltration — moby 5.9 Medium2024-03-20
CVE-2023-41894 Local-only webhooks externally accessible via SniTun in Home Assistant Core — core 5.3 Medium2023-10-19
CVE-2022-46173 Elrond go Processing: fallback search of SCRs when not found in the main cache — elrond-go 7.2 High2022-12-28
CVE-2022-39225 Parse Server subject to Incorrect Resource Transfer Between Spheres — parse-server 4.3 Medium2022-09-23
CVE-2022-35916 Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls — openzeppelin-contracts 5.3 Medium2022-08-01
CVE-2022-30236 Schneider Electric Wiser Smart 安全漏洞 — Wiser Smart 8.2 High2022-06-02
CVE-2021-22806 Schneider Electric 多款产品安全漏洞 — spaceLYnk (V2.6.1 and prior), Wiser for KNX (V2.6.1 and prior), fellerLYnk (V2.6.1 and prior) 7.5 -2022-02-11
CVE-2021-34574 Password policy evasion in products of MB connect line and Helmholz — mymbCONNECT24 4.3 Medium2021-08-02
CVE-2020-15257 containerd-shim API Exposed to Host Network Containers — containerd 5.2 Medium2020-12-01

Vulnerabilities classified as CWE-669 (在范围间的资源转移不正确) represent 45 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.