目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-84 Web页面编码URIScheme转义处理不恰当 类漏洞列表 10

CWE-84 Web页面编码URIScheme转义处理不恰当 类弱点 10 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-84 属于输入验证缺陷,指 Web 应用未能正确处理经 URI 编码的恶意脚本输入。攻击者常利用此漏洞绕过过滤机制,在页面中注入并执行恶意代码,导致跨站脚本攻击。开发者应严格对用户输入进行解码后验证,确保仅允许安全的字符集,并实施输出编码,以彻底阻断编码后的恶意脚本执行路径。

MITRE CWE 官方描述
CWE:CWE-84 网页中对编码 URI 方案的错误中和 英文:Web 应用程序未能正确中和用户控制的输入,这些输入以 URI 编码的形式伪装成可执行脚本。
常见影响 (1)
IntegrityUnexpected State
缓解措施 (5)
ImplementationResolve all URIs to absolute or canonical representations before processing.
ImplementationCarefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS v…
ImplementationUse and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are i…
ImplementationWith Struts, write all data from form beans with the bean's filter attribute set to true.
ImplementationTo help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is n…
Effectiveness: Defense in Depth
CVE ID标题CVSS风险等级Published
CVE-2025-58444 MCP inspector 安全漏洞 — inspector 6.1AIMediumAI2025-09-08
CVE-2024-52890 IBM Engineering Lifecycle Optimization Publishing 安全漏洞 — IBM Engineering Lifecycle Optimization - Publishing 6.1 Medium2025-08-05
CVE-2025-30203 Tuleap 安全漏洞 — tuleap 4.8 Medium2025-03-31
CVE-2024-42184 HCL BigFix Patch Management 安全漏洞 — BigFix Patch Management Download Plug-ins 2.5 Low2025-01-23
CVE-2024-45045 Collabora Online 安全漏洞 — online 6.3 Medium2024-08-29
CVE-2023-30959 Palantir Apollo 跨站脚本漏洞 — com.palantir.apollo:autopilot 4.1 Medium2023-09-26
CVE-2023-25571 backstage 跨站脚本漏洞 — backstage 6.8 Medium2023-02-14
CVE-2022-40181 多款Siemens产品跨站脚本漏洞 — Desigo PXM30-1 7.3 -2022-10-11
CVE-2021-3824 Openvpn OpenVPN 跨站脚本漏洞 — OpenVPN Access Server 6.1 -2021-09-23
CVE-2020-7011 Elastic App Search 跨站脚本漏洞 — Elastic App Search 6.1 -2020-06-03

CWE-84(Web页面编码URIScheme转义处理不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 10 条 CVE 漏洞。