Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-841 (行为工作流的不恰当实施) — Vulnerability Class 34

34 vulnerabilities classified as CWE-841 (行为工作流的不恰当实施). AI Chinese analysis included.

CWE-841 represents a logic flaw where an application fails to enforce the correct sequence of operations within a multi-step workflow. This weakness allows attackers to bypass critical security checks or business rules by executing actions out of order or skipping necessary steps entirely. For instance, an attacker might attempt to access a protected resource before completing authentication, or finalize a transaction before verifying payment details. Such manipulation can lead to unauthorized data access, financial fraud, or system instability. To mitigate this risk, developers must implement strict state management and validation mechanisms that verify each step’s completion before allowing progression. Utilizing atomic transactions, enforcing server-side state checks, and clearly defining workflow dependencies ensures that the application maintains integrity regardless of the client’s input order, thereby preventing logic bypasses and preserving the intended behavioral sequence.

MITRE CWE Description
The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence. By performing actions in an unexpected order, or by omitting steps, an attacker could manipulate the business logic of the product or cause it to enter an invalid state. In some cases, this can also expose resultant weaknesses. For example, a file-sharing protocol might require that an actor perform separate steps to provide a username, then a password, before being able to transfer files. If the file-sharing server accepts a password command followed by a transfer command, without any username being provided, the product might still perform the transfer. Note that this is different than CWE-696, which focuses on when the product performs actions in the wrong sequence; this entry is closely related, but it is focused on ensuring that the actor performs actions in the correct sequence. Workflow-related behaviors include: Steps are performed in the expected order. Required steps are not omitted. Steps are not interrupted. Steps are performed in a timely fashion.
Common Consequences (1)
OtherAlter Execution Logic
An attacker could cause the product to skip critical steps or perform them in the wrong order, bypassing its intended business logic. This can sometimes have security implications.
Examples (1)
This code is part of an FTP server and deals with various commands that could be sent by a user. It is intended that a user must successfully login before performing any other action such as retrieving or listing files.
def dispatchCommand(command, user, args): if command == 'Login': loginUser(args) return # user has requested a file if command == 'Retrieve_file': if authenticated(user) and ownsFile(user,args): sendFile(args) return if command == 'List_files': listFiles(args) return ...
Bad · Python
def dispatchCommand(command, user, args): ... if command == 'List_files': if authenticated(user) and ownsDirectory(user,args): listFiles(args) return ...
Good · Python
CVE IDTitleCVSSSeverityPublished
CVE-2026-41259 Mastodon: Insufficient verification of email addresses — mastodon 4.3AIMediumAI2026-04-23
CVE-2026-34582 Botan has a TLS 1.3 certificate authentication bypass — botan 8.2AIHighAI2026-04-07
CVE-2025-13459 IBM Aspera Console Denial of Service — Aspera Console 2.7 Low2026-03-13
CVE-2026-3130 Devolutions Server 安全漏洞 — Server 8.1AIHighAI2026-03-03
CVE-2025-52469 Chamilo: Friend Request Workflow Bypass - Unauthorized Friend Addition and ID Validation Bypass — chamilo-lms 7.1 High2026-03-02
CVE-2026-24774 Open eClass Business Logic Flaw Allows Students to Mark Attendance in Expired Activities — openeclass 4.3 Medium2026-02-03
CVE-2025-13129 Business Logic Error in Seneka Software's Onaylarım — Onaylarım 4.3 Medium2025-12-01
CVE-2025-13239 Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution submit_checkout behavioral workflow — Isshue Multi Store eCommerce Shopping Cart Solution 4.3 Medium2025-11-16
CVE-2025-58051 Nextcloud Tables app allowed to include local file via PhpSpreadsheet when importing a table — security-advisories 6.5 Medium2025-10-16
CVE-2025-55682 Windows BitLocker Security Feature Bypass Vulnerability — Windows 11 Version 24H2 6.1 Medium2025-10-14
CVE-2025-55337 Windows BitLocker Security Feature Bypass Vulnerability — Windows 11 Version 24H2 6.1 Medium2025-10-14
CVE-2025-55332 Windows BitLocker Security Feature Bypass Vulnerability — Windows 10 Version 1809 6.1 Medium2025-10-14
CVE-2025-55330 Windows BitLocker Security Feature Bypass Vulnerability — Windows 11 version 22H2 6.1 Medium2025-10-14
CVE-2024-13065 Business Logic Error in Akinsoft's MyRezzta — MyRezzta 6.3 Medium2025-09-03
CVE-2025-48482 FreeScout Has Business Logic Errors — freescout 4.3AIMediumAI2025-05-30
CVE-2025-48481 FreeScout Has Business Logic Errors — freescout 8.2AIHighAI2025-05-30
CVE-2025-48480 FreeScout Has Business Logic Errors — freescout 6.5AIMediumAI2025-05-30
CVE-2025-48479 FreeScout Has Business Logic Errors — freescout 6.5AIMediumAI2025-05-30
CVE-2025-48478 FreeScout Has Business Logic Errors — freescout 7.5AIHighAI2025-05-30
CVE-2025-48477 FreeScout Has Business Logic Errors — freescout 4.3AIMediumAI2025-05-30
CVE-2025-48476 FreeScout Has Business Logic Errors — freescout 8.8AIHighAI2025-05-30
CVE-2025-48376 Dnn.Platform's Site Import could use an external source with a crafted request — Dnn.Platform 3.5 Low2025-05-23
CVE-2024-12543 A user enumeration and subsequent data integrity vulnerability affecting barcode functionality — OpenText Content Management 4.3 -2025-04-21
CVE-2025-2323 274056675 springboot-openai-chatgpt Number of Question questionCou updateQuestionCou behavioral workflow — springboot-openai-chatgpt 4.3 Medium2025-03-15
CVE-2024-39325 aimeos/ai-controller-frontend doesn't reset payment status in basket — ai-controller-frontend 5.3 Medium2024-07-02
CVE-2024-6128 spa-cartcms Checkout Page checkout behavioral workflow — spa-cartcms 5.3 Medium2024-06-18
CVE-2024-37296 Aimeos HTML client vulnerable to digital products download without proper payment status check — ai-client-html 5.3 Medium2024-06-11
CVE-2024-0410 Improper Enforcement of Behavioral Workflow in GitLab — GitLab 7.7 High2024-02-21
CVE-2023-5921 Function Bypass in Geodi — Geodi 7.1 High2023-11-22
CVE-2023-4181 SourceCodester Free Hospital Management System for Small Practices Redirect behavioral workflow — Free Hospital Management System for Small Practices 5.4 Medium2023-08-06

Vulnerabilities classified as CWE-841 (行为工作流的不恰当实施) represent 34 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.