目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-428 未经引用的搜索路径或元素 类漏洞列表 303

CWE-428 未经引用的搜索路径或元素 类弱点 303 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-428 是未加引号搜索路径或元素漏洞,属于路径处理缺陷。当路径元素含空格且未加引号时,系统可能解析错误,导致访问父目录资源。攻击者可通过在父目录放置恶意文件(如 Program.exe)诱导特权程序执行,从而提升权限。开发者应避免使用含空格的路径,或对路径元素严格加引号,确保解析准确,防止路径遍历和权限提升风险。

MITRE CWE 官方描述
CWE:CWE-428 未加引号的路径或元素 (Unquoted Search Path or Element) 英文:产品使用的搜索路径中包含一个未加引号的元素,该元素包含空格或其他分隔符。这可能导致产品访问父路径中的资源。 如果恶意用户能够访问文件系统,则可以通过插入类似 "C:\Program.exe" 的文件,由使用 WinExec 的特权程序执行,从而实现权限提升。
常见影响 (1)
Confidentiality, Integrity, AvailabilityExecute Unauthorized Code or Commands
缓解措施 (3)
ImplementationProperly quote the full search path before executing a program on the system.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (1)
The following example demonstrates the weakness.
UINT errCode = WinExec( "C:\\Program Files\\Foo\\Bar", SW_SHOW );
Bad · C
CVE ID标题CVSS风险等级Published
CVE-2021-47864 OSAS Traverse Extension 代码问题漏洞 — OSAS Traverse Extension 7.8 High2026-01-21
CVE-2021-47863 MacPaw Encrypto 代码问题漏洞 — Encrypto 7.8 High2026-01-21
CVE-2021-47862 Hi-Rez Studios HiPatchService 代码问题漏洞 — HiPatchService 7.8 High2026-01-21
CVE-2021-47861 FSPro Labs Event Log Explorer 代码问题漏洞 — Event Log Explorer 7.8 High2026-01-21
CVE-2021-47859 HID Global ActivIdentity 代码问题漏洞 — ActivIdentity 7.8 High2026-01-21
CVE-2021-47847 Flexense Disk Sorter Server 代码问题漏洞 — Disk Sorter Server 7.8 High2026-01-16
CVE-2021-47845 NETGATE Spy Emergency 安全漏洞 — Spy Emergency 7.8 High2026-01-16
CVE-2021-47833 Gearboxcomputers WifiHotSpot 代码问题漏洞 — WifiHotSpot 7.8 High2026-01-16
CVE-2021-47829 Weird Solutions DHCP Broadband 代码问题漏洞 — DHCP Broadband 7.8 High2026-01-16
CVE-2021-47828 bootplus 代码问题漏洞 — BOOTP Turbo 7.8 High2026-01-16
CVE-2021-47826 Acer Backup Manager 代码问题漏洞 — Acer Backup Manager Module 7.8 High2026-01-16
CVE-2021-47825 Acer Updater Service 代码问题漏洞 — Acer Updater Service 7.8 High2026-01-16
CVE-2021-47823 Acer ePowerSvc 代码问题漏洞 — ePowerSvc 7.8 High2026-01-16
CVE-2021-47822 Flexense DiskBoss Service 代码问题漏洞 — DiskBoss Service 7.8 High2026-01-16
CVE-2021-47810 WibuKey Runtime 安全漏洞 — WibuKey Runtime 7.8 High2026-01-15
CVE-2021-47809 Flexense Disk Sorter Enterprise 安全漏洞 — Disk Sorter Enterprise 7.8 High2026-01-15
CVE-2021-47807 Flexense Sync Breeze 安全漏洞 — Sync Breeze 7.8 High2026-01-15
CVE-2021-47806 Flexense Dup Scout 安全漏洞 — Dup Scout 7.8 High2026-01-15
CVE-2021-47805 Flexense Disk Savvy 代码问题漏洞 — Disk Savvy 7.8 High2026-01-15
CVE-2021-47804 Wise Care 365 代码问题漏洞 — Wise Care 7.8 High2026-01-15
CVE-2021-47803 iFunbox 代码问题漏洞 — iFunbox 7.8 High2026-01-15
CVE-2021-47792 Remote Mouse 安全漏洞 — Remote Mouse 7.8 High2026-01-15
CVE-2021-47790 PY Active WebCam 安全漏洞 — Active WebCam 7.8 High2026-01-15
CVE-2021-47787 TotalAV 安全漏洞 — TotalAV 7.8 High2026-01-15
CVE-2021-47780 Macro Expert 代码问题漏洞 — Macro Expert 7.8 High2026-01-15
CVE-2020-36929 Brother BRPrint Auditor 安全漏洞 — Brother BRPrint Auditor 7.8 High2026-01-15
CVE-2020-36930 Flexense SysGauge Server 安全漏洞 — SysGauge 7.8 High2026-01-15
CVE-2020-36927 Flexense DiskPulse Enterprise 安全漏洞 — DiskPulse 7.8 High2026-01-15
CVE-2020-36928 Brother BRAgent 安全漏洞 — Brother BRAgent 7.8 High2026-01-15
CVE-2021-47773 Dynojet Power Core 安全漏洞 — Dynojet Power Core 7.8 High2026-01-15

CWE-428(未经引用的搜索路径或元素) 是常见的弱点类别,本平台收录该类弱点关联的 303 条 CVE 漏洞。