Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-184 (不完整的黑名单) — Vulnerability Class 102

102 vulnerabilities classified as CWE-184 (不完整的黑名单). AI Chinese analysis included.

CWE-184 represents a critical input validation weakness where an application relies on a blacklist of prohibited inputs that fails to cover all malicious variations. This approach is inherently fragile because attackers can easily bypass incomplete lists using encoding techniques, alternative syntax, or edge cases not anticipated by the developer. Exploitation typically occurs when an adversary submits crafted payloads that evade the restricted set, allowing unauthorized commands, code execution, or data injection to proceed unchecked. To mitigate this risk, developers should abandon blacklisting in favor of whitelisting, which permits only explicitly verified and safe inputs. Additionally, implementing robust input sanitization and normalization processes ensures that diverse attack vectors are neutralized before processing, thereby closing the gaps left by incomplete disallowed lists and significantly strengthening the application’s security posture against injection-based threats.

MITRE CWE Description
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Attackers may be able to find other malicious inputs that were not expected by the developer, allowing them to bypass the intended protection mechanism.
Mitigations (1)
ImplementationDo not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as …
Examples (2)
The following code attempts to stop XSS attacks by removing all occurences of "script" in an input string.
public String removeScriptTags(String input, String mask) { return input.replaceAll("script", mask); }
Bad · Java
This example takes user input, passes it through an encoding scheme, then lists the contents of the user's home directory based on the user name.
sub GetUntrustedInput { return($ARGV[0]); } sub encode { my($str) = @_; $str =~ s/\&/\&amp;/gs; $str =~ s/\"/\&quot;/gs; $str =~ s/\'/\&apos;/gs; $str =~ s/\</\&lt;/gs; $str =~ s/\>/\&gt;/gs; return($str); } sub doit { my $uname = encode(GetUntrustedInput("username")); print "<b>Welcome, $uname!</b><p>\n"; system("cd /home/$uname; /bin/ls -l"); }
Bad · Perl
' pwd
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2025-61924 PrestaShop Checkout Target PayPal merchant account hijacking from backoffice — ps_checkout 3.8 Low2025-10-16
CVE-2025-48732 WWBN AVideo 安全漏洞 — AVideo 7.3 High2025-07-24
CVE-2025-24388 Unsafe handling of AJAX calls — OTRS 3.8 Low2025-06-16
CVE-2025-1484 Hitachi Asset Suite 安全漏洞 — Asset Suite 6.5 Medium2025-05-30
CVE-2025-46417 picklescan 安全漏洞 — Picklescan 9.1 -2025-04-24
CVE-2025-29822 Microsoft OneNote Security Feature Bypass Vulnerability — Microsoft 365 Apps for Enterprise 7.8 High2025-04-08
CVE-2025-1716 picklescan - Security scanning bypass via 'pip main' — picklescan 8.1 -2025-02-26
CVE-2024-54149 Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion — winter 8.5 High2024-12-09
CVE-2024-32152 Ankitects Anki 安全漏洞 — Anki 3.1 Low2024-07-22
CVE-2024-5217 Incomplete Input Validation in GlideExpression Script — Now Platform 9.8 Critical2024-07-10
CVE-2024-5178 Incomplete Input Validation in SecurelyAccess API — Now Platform 4.9 Medium2024-07-10
CVE-2024-30103 Microsoft Outlook Remote Code Execution Vulnerability — Microsoft Office 2019 8.8 High2024-06-11
CVE-2024-20278 Cisco IOS XE Software 安全漏洞 — Cisco IOS XE Software 6.5 Medium2024-03-27
CVE-2024-28246 KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols — KaTeX 5.5 Medium2024-03-25
CVE-2023-45593 AiLux imx6 安全漏洞 — imx6 bundle 6.8 Medium2024-03-05
CVE-2023-45133 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code — babel 9.4 Critical2023-10-12
CVE-2023-3374 Privilege Escalation in Bookreen — Bookreen 9.8 Critical2023-09-05
CVE-2023-40037 Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs — Apache NiFi 8.1 -2023-08-18
CVE-2023-23844 SolarWinds Platform Incomplete List of Disallowed Inputs Vulnerability — SolarWinds Platform 7.2 High2023-07-26
CVE-2023-34253 Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass — grav 8.8 High2023-06-14
CVE-2023-34252 Grav Server-side Template Injection via Insufficient Validation in filterFilter — grav 8.8 High2023-06-14
CVE-2023-2017 Improper Control of Generation of Code in Twig Rendered Views in Shopware — Shopware 6 8.8 High2023-04-17
CVE-2022-34888 Lenovo XClarity Controller 安全漏洞 — Lenovo XClarity Controller 2.7 Low2023-01-30
CVE-2022-32763 Lansweeper 跨站脚本漏洞 — lansweeper 5.4 -2022-12-19
CVE-2022-35962 Crafted link in Zulip message can cause disclosure of credentials — zulip-mobile 8.0 High2022-08-29
CVE-2022-38179 JetBrains Ktor framework 安全漏洞 — Ktor 4.7 Medium2022-08-12
CVE-2021-31370 Junos OS: QFX5000 Series and EX4600 Series: Control traffic might be dropped if a high rate of specific multicast traffic is received — Junos OS 6.5 Medium2021-10-19
CVE-2021-25737 Holes in EndpointSlice Validation Enable Host Network Hijack — Kubernetes 2.7 Low2021-09-06
CVE-2021-25631 denylist of executable filename extensions possible to bypass under windows — LibreOffice 8.8 -2021-05-03
CVE-2020-14372 grub2 安全漏洞 — grub2 8.2 -2021-03-03

Vulnerabilities classified as CWE-184 (不完整的黑名单) represent 102 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.