Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-749 (暴露危险的方法或函数) — Vulnerability Class 119

119 vulnerabilities classified as CWE-749 (暴露危险的方法或函数). AI Chinese analysis included.

CWE-749 represents a critical architectural flaw where an application exposes a dangerous method or function through its API without adequate access controls. This weakness occurs when developers fail to restrict sensitive operations, allowing external actors to invoke functions that should remain internal or privileged. Attackers typically exploit this by directly calling these unrestricted endpoints to bypass intended security logic, potentially leading to unauthorized data access, privilege escalation, or system compromise. The severity depends on the specific function exposed, ranging from information disclosure to complete system takeover. To mitigate this risk, developers must implement strict authentication and authorization checks on all API endpoints. Additionally, adhering to the principle of least privilege ensures that only necessary methods are exposed, while comprehensive input validation and regular security audits help identify and remediate improperly secured interfaces before they can be weaponized by malicious actors.

MITRE CWE Description
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. This weakness can lead to a wide variety of resultant weaknesses, depending on the behavior of the exposed method. It can apply to any number of technologies and approaches, such as ActiveX controls, Java functions, IOCTLs, and so on. The exposure can occur in a few different ways: The function/method was never intended to be exposed to outside actors. The function/method was only intended to be accessible to a limited set of actors, such as Internet-based access from a single web site.
Common Consequences (1)
Integrity, Confidentiality, Availability, Access Control, OtherGain Privileges or Assume Identity, Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Other
Exposing critical functionality essentially provides an attacker with the privilege level of the exposed functionality. This could result in the modification or exposure of sensitive data or possibly even execution of arbitrary code.
Mitigations (2)
Architecture and DesignIf you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Architecture and Design, ImplementationIdentify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be: accessible to all users restricted to a small set of privileged users prevented from being directly accessible at all Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where ap…
Examples (2)
In the following Java example the method removeDatabase will delete the database with the name specified in the input parameter.
public void removeDatabase(String databaseName) { try { Statement stmt = conn.createStatement(); stmt.execute("DROP DATABASE " + databaseName); } catch (SQLException ex) {...} }
Bad · Java
private void removeDatabase(String databaseName) { try { Statement stmt = conn.createStatement(); stmt.execute("DROP DATABASE " + databaseName); } catch (SQLException ex) {...} }
Good · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE IDTitleCVSSSeverityPublished
CVE-2025-43955 Convertigo 安全漏洞 — Convertigo 2.2 Low2025-04-20
CVE-2025-3698 TECNO com.transsion.carlcare 安全漏洞 — com.transsion.carlcare 6.5AIMediumAI2025-04-16
CVE-2025-26651 Windows Local Session Manager (LSM) Denial of Service Vulnerability — Windows 11 version 22H2 6.5 Medium2025-04-08
CVE-2024-43065 Exposed Dangerous Method or Function in HLOS — Snapdragon 7.1 High2025-04-07
CVE-2024-6863 Encryption of Arbitrary Files with Attacker-Controlled Key in h2oai/h2o-3 — h2oai/h2o-3 9.1 -2025-03-20
CVE-2024-12651 Sensitive Data Exposure in PTT Inc.'s HGS Mobile App — HGS Mobile App 8.5 High2025-02-14
CVE-2025-24361 Opening a malicious website while running a Nuxt dev server could allow read-only access to code — nuxt 5.3 Medium2025-01-25
CVE-2024-13242 Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006 — Swift Mailer (abandoned) 5.3 -2025-01-09
CVE-2023-39470 PaperCut NG print.script.sandboxed Exposed Dangerous Function Remote Code Execution Vulnerability — NG 8.8 -2024-11-22
CVE-2024-51992 Method Exposure Vulnerability in Modals in orchid/platform — platform 4.1 Medium2024-11-11
CVE-2024-47005 Sharp MFP 安全漏洞 — Sharp Digital Full-color MFPs and Monochrome MFPs 8.1 High2024-10-25
CVE-2024-4739 MXsecurity License Generation Function Disclosure — MXsecurity Series 5.3 Medium2024-10-18
CVE-2024-6510 Local privilege escalation vulnerability in AVG Internet Security — Internet Security 7.8 High2024-09-12
CVE-2024-6689 Local privilege escalation vulnerability in baramundi Management Agent via MSI Installer — Management Agent 7.8 High2024-07-15
CVE-2024-35209 Siemens SINEC Traffic Analyzer 安全漏洞 — SINEC Traffic Analyzer 6.2 Medium2024-06-11
CVE-2024-5299 D-Link D-View execMonitorScript Exposed Dangerous Method Remote Code Execution Vulnerability — D-View 8.8AIHighAI2024-05-23
CVE-2024-5298 D-Link D-View queryDeviceCustomMonitorResult Exposed Dangerous Method Remote Code Execution Vulnerability — D-View 8.8AIHighAI2024-05-23
CVE-2023-51584 Voltronic Power ViewPower USBCommEx shutdown Exposed Dangerous Method Remote Code Execution Vulnerability — ViewPower 8.8 -2024-05-03
CVE-2023-51583 Voltronic Power ViewPower UpsScheduler Exposed Dangerous Method Remote Code Execution Vulnerability — ViewPower 9.8 -2024-05-03
CVE-2023-51582 Voltronic Power ViewPower LinuxMonitorConsole Exposed Dangerous Method Remote Code Execution Vulnerability — ViewPower 9.8 -2024-05-03
CVE-2023-51581 Voltronic Power ViewPower MacMonitorConsole Exposed Dangerous Method Remote Code Execution Vulnerability — ViewPower 9.8 -2024-05-03
CVE-2023-51578 Voltronic Power ViewPower MonitorConsole Exposed Dangerous Method Denial-of-Service Vulnerability — ViewPower 7.5 -2024-05-03
CVE-2023-51577 Voltronic Power ViewPower setShutdown Exposed Dangerous Method Local Privilege Escalation Vulnerability — ViewPower 7.8 -2024-05-03
CVE-2023-51575 Voltronic Power ViewPower MonitorConsole Exposed Dangerous Method Remote Code Execution Vulnerability — ViewPower 9.8 -2024-05-03
CVE-2023-51574 Voltronic Power ViewPower updateManagerPassword Exposed Dangerous Method Authentication Bypass Vulnerability — ViewPower 9.8 -2024-05-03
CVE-2023-44414 D-Link D-View coreservice_action_script Exposed Dangerous Function Remote Code Execution Vulnerability — D-View 9.8 -2024-05-03
CVE-2023-42032 Visualware MyConnection Server doRTAAccessUPass Exposed Dangerous Method Information Disclosure Vulnerability — MyConnection Server 7.5 -2024-05-03
CVE-2023-40501 LG Simple Editor copyContent Exposed Dangerous Function Remote Code Execution Vulnerability — Simple Editor 9.8 -2024-05-03
CVE-2023-40500 LG Simple Editor copyContent Exposed Dangerous Function Remote Code Execution Vulnerability — Simple Editor 9.8 -2024-05-03
CVE-2023-39505 PDF-XChange Editor Net.HTTP.requests Exposed Dangerous Function Information Disclosure Vulnerability — PDF-XChange Editor 5.5 -2024-05-03

Vulnerabilities classified as CWE-749 (暴露危险的方法或函数) represent 119 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.