CWE-862 授权机制缺失 类弱点 5967 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-862 属于缺失授权漏洞,指产品在用户访问资源或执行操作时未进行权限校验。攻击者通常通过直接修改请求参数或构造恶意 URL,绕过前端限制以访问未授权数据或执行敏感操作。开发者应避免仅依赖前端验证,需在服务端对每个请求实施严格的身份认证与权限检查,确保用户仅能访问其被授权的资源,从而从根本上消除越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2022-2841 | Falcon 安全漏洞 — Falcon | 2.7 | Low | 2022-08-22 |
| CVE-2022-36024 | Pycord 安全漏洞 — pycord | 7.5 | High | 2022-08-18 |
| CVE-2022-2846 | WordPress plugin Calendar Event Multi View 跨站请求伪造漏洞 — Calendar Event Multi View | 4.3 | - | 2022-08-16 |
| CVE-2022-2379 | WordPress plugin Easy Student Results 跨站脚本漏洞 — Easy Student Results | 7.5 | - | 2022-08-15 |
| CVE-2022-35293 | SAP Enable Now Manager 安全漏洞 — SAP Enable Now Manager | 9.1 | - | 2022-08-09 |
| CVE-2022-2732 | OpenEMR 安全漏洞 — openemr/openemr | 8.3 | High | 2022-08-09 |
| CVE-2022-36836 | SAMSUNG Mobile devices 安全漏洞 — Charm by Samsung | 6.2 | Medium | 2022-08-05 |
| CVE-2022-31128 | Tuleap 安全漏洞 — tuleap | 5.4 | Medium | 2022-08-01 |
| CVE-2022-2369 | WordPress plugin YaySMTP 安全漏洞 — YaySMTP – Simple WP SMTP Mail | 4.3 | - | 2022-08-01 |
| CVE-2021-32504 | SICK FTMg 安全漏洞 — SICK FTMg | 8.2 | - | 2022-07-19 |
| CVE-2022-2108 | WordPress plugin Wbcom Designs – BuddyPress Group Review 安全漏洞 — Wbcom Designs – BuddyPress Group Reviews | 6.5 | Medium | 2022-07-18 |
| CVE-2022-31597 | SAP S/4HANA 安全漏洞 — SAP S/4HANA | 5.4 | - | 2022-07-12 |
| CVE-2022-31592 | SAP Enterprise Extension Defense Forces & Public Security 安全漏洞 — SAP Enterprise Extension Defense Forces & Public Security (EA-DFPS) | 4.3 | - | 2022-07-12 |
| CVE-2022-1245 | Red Hat Keycloak 安全漏洞 — keycloak | 9.8 | - | 2022-07-07 |
| CVE-2022-1903 | WordPress plugin ARMember 安全漏洞 — ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | 8.1 | - | 2022-06-27 |
| CVE-2022-23055 | ERPNext 安全漏洞 — frappe | 8.1 | - | 2022-06-22 |
| CVE-2022-31595 | SAP Financial Consolidation 安全漏洞 — SAP Financial Consolidation | 8.8 | - | 2022-06-14 |
| CVE-2022-1777 | WordPress plugin Filr 安全漏洞 — Filr – Secure document library | 8.3 | - | 2022-06-13 |
| CVE-2022-0745 | WordPress plugin Like Button Rating 安全漏洞 — Like Button Rating ♥ LikeBtn | 6.5 | - | 2022-06-13 |
| CVE-2022-30731 | Samsung My Files 安全漏洞 — My Files | 5.1 | Medium | 2022-06-07 |
| CVE-2022-24896 | Tuleap 安全漏洞 — tuleap | 4.3 | Medium | 2022-06-06 |
| CVE-2021-42851 | Lenovo Personal Cloud Storage 安全漏洞 — Personal Cloud Storage A1 | 6.3 | Medium | 2022-05-18 |
| CVE-2021-42848 | Lenovo Personal Cloud Storage 安全漏洞 — Personal Cloud Storage A1 | 4.3 | Medium | 2022-05-18 |
| CVE-2022-29611 | SAP NetWeaver Application Server 安全漏洞 — SAP NetWeaver Application Server for ABAP and ABAP Platform | 8.8 | - | 2022-05-11 |
| CVE-2022-1442 | WordPress plugin Metform 安全漏洞 — MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | 7.5 | High | 2022-05-10 |
| CVE-2022-29176 | RubyGems 安全漏洞 — rubygems.org | 9.9 | Critical | 2022-05-05 |
| CVE-2021-44055 | QNAP Systems Video Station 授权问题漏洞 — Video Station | 5.3 | Medium | 2022-05-05 |
| CVE-2022-28789 | Voice Note 安全漏洞 — Voice Note | 6.2 | Medium | 2022-05-03 |
| CVE-2021-25002 | WordPress plugin Tipsacarrier 安全漏洞 — Tipsacarrier | 7.5 | - | 2022-05-02 |
| CVE-2022-1511 | Snipe-IT 安全漏洞 — snipe/snipe-it | 4.3 | - | 2022-04-28 |
CWE-862(授权机制缺失) 是常见的弱点类别,本平台收录该类弱点关联的 5967 条 CVE 漏洞。