Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-345 (对数据真实性的验证不充分) — Vulnerability Class 236

236 vulnerabilities classified as CWE-345 (对数据真实性的验证不充分). AI Chinese analysis included.

CWE-345 represents a critical integrity weakness where software fails to adequately verify the origin or authenticity of incoming data, leading to the acceptance of invalid or malicious inputs. Attackers typically exploit this vulnerability by injecting spoofed or tampered information, tricking the application into processing untrusted sources as legitimate. This can result in severe consequences, including data corruption, unauthorized access, or system compromise, as the software blindly trusts the manipulated payload. To mitigate this risk, developers must implement robust cryptographic verification mechanisms, such as digital signatures or message authentication codes, to ensure data integrity. Additionally, strict input validation and secure communication protocols like TLS should be employed to authenticate data sources. By rigorously validating the provenance of all external inputs, organizations can prevent attackers from exploiting trust assumptions and maintain the overall security posture of their systems against integrity-based attacks.

MITRE CWE Description
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Common Consequences (1)
Integrity, OtherVaries by Context, Unexpected State
Examples (1)
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2024-30250 In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists — astro-shield 7.5 High2024-04-04
CVE-2024-2384 WooCommerce POS <= 1.4.11 - Insufficient Verification of Data Authenticity to Authenticated (Customer+) Information Disclosure — WCPOS – Point of Sale (POS) plugin for WooCommerce 4.3 Medium2024-03-20
CVE-2024-28251 Cross-site websocket hijacking in Querybook — querybook 5.6 Medium2024-03-13
CVE-2024-1321 EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Unauthenticated Booking Payment Bypass — EventPrime – Events Calendar, Bookings and Tickets 5.3 Medium2024-03-13
CVE-2024-27305 SMTP smuggling in aiosmtpd — aiosmtpd 5.3 Medium2024-03-12
CVE-2023-32329 IBM Security Access Manager Container improper file validation — Security Verify Access Appliance 6.2 Medium2024-02-03
CVE-2023-52109 Huawei HarmonyOS 安全漏洞 — HarmonyOS 7.5AIHighAI2024-01-16
CVE-2023-44402 ASAR Integrity bypass via filetype confusion in electron — electron 6.1 Medium2023-12-01
CVE-2023-49087 Validation of SignedInfo — xml-security 6.8 Medium2023-11-30
CVE-2023-48238 JWT Algorithm Confusion in json-web-token library — json-web-token 7.5 High2023-11-17
CVE-2023-47631 vantage6 Node accepts non-whitelisted algorithms from malicious server — vantage6 7.2 High2023-11-14
CVE-2023-47630 Attacker can cause Kyverno user to unintentionally consume insecure image — kyverno 7.1 High2023-11-14
CVE-2023-42816 Denial of service from malicious signature in kyverno — kyverno 6.1 Medium2023-11-13
CVE-2023-41896 Fake websocket server installation permits full takeover in Home Assistant Core — core 7.1 High2023-10-19
CVE-2023-41898 Arbitrary URL load in Android WebView in `MyActivity.kt` in Home Assistant Companion for Android — core 8.6 High2023-10-19
CVE-2023-43800 Insufficient Verification of Data Authenticity in Arduino Create Agent — arduino-create-agent 7.3 High2023-10-18
CVE-2023-43666 Apache InLong: General user Unauthorized access User Management — Apache InLong 6.5 -2023-10-16
CVE-2023-42782 Fortinet FortiAnalyzer 数据伪造问题漏洞 — FortiAnalyzer 5.0 Medium2023-10-10
CVE-2023-5450 BIG-IP Edge Client for macOS vulnerability — BIG-IP Edge Client 7.3 High2023-10-10
CVE-2023-5366 Openvswitch don't match packets on nd_target field — openvswitch 7.1 High2023-10-06
CVE-2023-39347 Cilium NetworkPolicy bypass via pod labels — cilium 7.6 High2023-09-26
CVE-2023-43636 Rootfs Not Protected — EVE OS 8.8 High2023-09-20
CVE-2023-4589 Insufficient verification of data authenticity vulnerability in Delinea Secret Server — Secret Server 9.1 Critical2023-09-06
CVE-2023-35719 ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability — ADSelfService Plus 6.8 -2023-09-06
CVE-2023-41045 Insecure source port usage for DNS queries in Graylog — graylog2-server 3.7 Low2023-08-31
CVE-2023-36541 Zoom Client 数据伪造问题漏洞 — Zoom Desktop Client for Windows 8.0 High2023-08-08
CVE-2023-36858 BIG-IP Edge Client for Windows and macOS vulnerability — BIG-IP Edge Client 7.1 High2023-08-02
CVE-2023-37920 Certifi's removal of e-Tugra root certificate — python-certifi 7.5 High2023-07-25
CVE-2023-30562 Lack of Dataset Integrity Checking — BD Alarisâ„¢ Guardrailsâ„¢ Editor 3.0 Low2023-07-13
CVE-2023-25178 Controller design flaw - unsigned firmware — C300 9.8 Critical2023-07-13

Vulnerabilities classified as CWE-345 (对数据真实性的验证不充分) represent 236 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.