CWE-862 授权机制缺失 类弱点 5781 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-862 属于缺失授权漏洞,指产品在用户访问资源或执行操作时未进行权限校验。攻击者通常通过直接修改请求参数或构造恶意 URL,绕过前端限制以访问未授权数据或执行敏感操作。开发者应避免仅依赖前端验证,需在服务端对每个请求实施严格的身份认证与权限检查,确保用户仅能访问其被授权的资源,从而从根本上消除越权风险。
function runEmployeeQuery($dbName, $name){ mysql_select_db($dbName,$globalDbHandle) or die("Could not open Database".$dbName); //Use a prepared statement to avoid CWE-89 $preparedStatement = $globalDbHandle->prepare('SELECT * FROM employees WHERE name = :name'); $preparedStatement->execute(array(':name' => $name)); return $preparedStatement->fetchAll(); } /.../ $employeeRecord = runEmployeeQuery('EmployeeDB',$_GET['EmployeeName']);sub DisplayPrivateMessage { my($id) = @_; my $Message = LookupMessageObject($id); print "From: " . encodeHTML($Message->{from}) . "<br>\n"; print "Subject: " . encodeHTML($Message->{subject}) . "\n"; print "<hr>\n"; print "Body: " . encodeHTML($Message->{body}) . "\n"; } my $q = new CGI; # For purposes of this example, assume that CWE-309 and # CWE-523 do not apply. if (! AuthenticateUser($q->param('username'), $q->param('password'))) { ExitError("invalid username or password"); } my $id = $q->param('id'); DisplayPrivateMessage($id);| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2021-24353 | BetterLinks WordPress plugin 访问控制错误漏洞 — Simple 301 Redirects by BetterLinks | 6.1 | - | 2021-06-14 |
| CVE-2021-24354 | BetterLinks WordPress plugin 安全漏洞 — Simple 301 Redirects by BetterLinks | 8.8 | - | 2021-06-14 |
| CVE-2021-24355 | BetterLinks WordPress plugin 访问控制错误漏洞 — Simple 301 Redirects by BetterLinks | 4.3 | - | 2021-06-14 |
| CVE-2021-24356 | BetterLinks WordPress plugin 访问控制错误漏洞 — Simple 301 Redirects by BetterLinks | 8.8 | - | 2021-06-14 |
| CVE-2021-22896 | Nextcloud Mail 访问控制错误漏洞 — Nextcloud Mail | 4.3 | - | 2021-06-11 |
| CVE-2020-10701 | Red Hat libvirt 安全漏洞 — libvirt | 6.5 | - | 2021-05-27 |
| CVE-2020-10697 | Red Hat Ansible 安全漏洞 — Tower | 3.3 | - | 2021-05-27 |
| CVE-2021-22891 | Citrix Systems Citrix ShareFile 安全漏洞 — Citrix ShareFile Storage Zones Controller | 9.8 | - | 2021-05-27 |
| CVE-2018-10866 | Red Hat Certification 授权问题漏洞 — redhat-certification | 9.1 | - | 2021-05-26 |
| CVE-2018-10865 | Red Hat Certification 安全漏洞 — redhat-certification | 7.5 | - | 2021-05-26 |
| CVE-2021-21264 | October CMS 安全漏洞 — october | 5.2 | Medium | 2021-05-03 |
| CVE-2021-22513 | Jenkins 安全漏洞 — Micro Focus Application Automation Tools Plugin - Jenkins plugin. | 7.1 | - | 2021-04-08 |
| CVE-2021-24184 | WordPress eLearning and online course solution 安全漏洞 — Tutor LMS – eLearning and online course solution | 8.8 | - | 2021-04-05 |
| CVE-2021-21326 | GLPI 安全漏洞 — glpi | 7.7 | High | 2021-03-08 |
| CVE-2021-21327 | GLPI 安全漏洞 — glpi | 6.8 | Medium | 2021-03-08 |
| CVE-2021-21255 | GLPI 安全漏洞 — glpi | 5.8 | Medium | 2021-03-02 |
| CVE-2021-21307 | Lucee Server 授权问题漏洞 — Lucee | 8.6 | High | 2021-02-11 |
| CVE-2020-7343 | Mcafee McAfee Agent 授权问题漏洞 — McAfee Agent | 5.5 | Medium | 2021-01-18 |
| CVE-2021-21246 | Theonedev Onedev 信息泄露漏洞 — onedev | 8.6 | High | 2021-01-15 |
| CVE-2020-27220 | Eclipse Hono 安全漏洞 — Eclipse Hono | 8.8 | - | 2021-01-14 |
| CVE-2020-27777 | Linux kernel 授权问题漏洞 — kernel | 6.7 | - | 2020-12-15 |
| CVE-2020-28215 | Schneider Electric Easergy T300 安全漏洞 — Easergy T300 (firmware 2.7 and older) | 9.8 | - | 2020-12-11 |
| CVE-2020-27349 | Aptdaemon 安全漏洞 — aptdaemon | 7.1 | - | 2020-12-09 |
| CVE-2020-25711 | Red Hat Infinispan 访问控制错误漏洞 — infinispan | 8.1 | - | 2020-12-03 |
| CVE-2020-26212 | GLPI 权限许可和访问控制问题漏洞 — glpi | 7.7 | High | 2020-11-25 |
| CVE-2020-26231 | October CMS 安全漏洞 — october | 5.2 | Medium | 2020-11-23 |
| CVE-2020-15247 | October CMS 安全漏洞 — october | 5.2 | Medium | 2020-11-23 |
| CVE-2020-10746 | Red Hat Infinispan 安全漏洞 — Infinispan | 7.8 | - | 2020-10-19 |
| CVE-2020-3400 | Cisco IOS和IOS XE 安全漏洞 — Cisco IOS XE Software | 8.8 | - | 2020-09-24 |
| CVE-2020-14306 | Red Hat OpenShift Service Mesh istio-rhel8-operator 安全漏洞 — openshift-service-mesh/istio-rhel8-operator | 8.8 | - | 2020-09-16 |
CWE-862(授权机制缺失) 是常见的弱点类别,本平台收录该类弱点关联的 5781 条 CVE 漏洞。