目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-940 通信信道源的不正确验证 类漏洞列表 32

CWE-940 通信信道源的不正确验证 类弱点 32 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-940属于通信源验证缺陷漏洞。攻击者通过建立来自不可信来源的通信通道,绕过身份验证机制,从而获取未授权访问权限或执行特权操作。开发者应在处理传入请求时,严格校验通信通道的来源,确保其符合预期信任域,并实施来源白名单或签名验证,以防止恶意实体伪造请求入口,保障系统交互的安全性。

MITRE CWE 官方描述
CWE:CWE-940 通信通道来源验证不当 (Improper Verification of Source of a Communication Channel) 英文:产品建立了一个通信通道来处理由某个行为者发起的传入请求,但它没有正确验证该请求是否来自预期的来源。 当攻击者能够成功从不受信任的来源建立通信通道时,攻击者可能获得特权并访问非预期的功能。
常见影响 (1)
Access Control, OtherGain Privileges or Assume Identity, Varies by Context, Bypass Protection Mechanism
An attacker can access any functionality that is inadvertently accessible to the source.
缓解措施 (1)
Architecture and DesignUse a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack. When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface …
代码示例 (2)
This Android application will remove a user account when it receives an intent to do so:
IntentFilter filter = new IntentFilter("com.example.RemoveUser"); MyReceiver receiver = new MyReceiver(); registerReceiver(receiver, filter); public class DeleteReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { int userID = intent.getIntExtra("userID"); destroyUserData(userID); } }
Bad · Java
These Android and iOS applications intercept URL loading within a WebView and perform special actions if a particular URL scheme is used, thus allowing the Javascript within the WebView to communicate with the application:
// Android @Override public boolean shouldOverrideUrlLoading(WebView view, String url){ if (url.substring(0,14).equalsIgnoreCase("examplescheme:")){ if(url.substring(14,25).equalsIgnoreCase("getUserInfo")){ writeDataToView(view, UserData); return false; } else{ return true; } } }
Bad · Java
// iOS -(BOOL) webView:(UIWebView *)exWebView shouldStartLoadWithRequest:(NSURLRequest *)exRequest navigationType:(UIWebViewNavigationType)exNavigationType { NSURL *URL = [exRequest URL]; if ([[URL scheme] isEqualToString:@"exampleScheme"]) { NSString *functionString = [URL resourceSpecifier]; if ([functionString hasPrefix:@"specialFunction"]) { // Make data available back in webview. UIWebView *webView = [self writeDataToView:[URL query]]; } return NO; } return YES; }
Bad · Objective-C
CVE ID标题CVSS风险等级Published
CVE-2026-43880 WWBN AVideo 安全漏洞 — AVideo 5.3 Medium2026-05-11
CVE-2026-40434 Anviz CrossChex Standard 安全漏洞 — Anviz CrossChex Standard 8.1 High2026-04-17
CVE-2026-35643 OpenClaw 安全漏洞 — OpenClaw 8.8 High2026-04-10
CVE-2026-33875 Authenticator 安全漏洞 — app-Authenticator 9.3 Critical2026-03-27
CVE-2019-25613 Easy Chat Server 安全漏洞 — Easy Chat 7.5 High2026-03-22
CVE-2026-2967 Cesanta Mongoose 安全漏洞 — Mongoose 3.7 Low2026-02-23
CVE-2026-22269 Dell PowerProtect Data Manager 安全漏洞 — PowerProtect Data Manager 4.7 Medium2026-02-19
CVE-2025-62439 Fortinet FortiOS 安全漏洞 — FortiOS 3.8 Medium2026-02-10
CVE-2025-40820 Siemens多款产品 安全漏洞 — SIDOOR ATD430W 7.5 High2025-12-09
CVE-2025-13086 OpenVPN 安全漏洞 — OpenVPN 7.5AIHighAI2025-12-03
CVE-2025-61932 MOTEX Lanscope Endpoint Manager 安全漏洞 — Lanscope Endpoint Manager (On-Premises) (Client program (MR) and Detection agent (DA)) 9.8AICriticalAI2025-10-20
CVE-2025-20365 Cisco Access Point Software 安全漏洞 — Cisco Aironet Access Point Software (IOS XE Controller) 4.3 Medium2025-09-24
CVE-2025-9999 PcVue 安全漏洞 — PcVue 9.8AICriticalAI2025-09-05
CVE-2025-42978 SAP NetWeaver Application Server Java 安全漏洞 — SAP NetWeaver Application Server Java 3.5 Low2025-07-08
CVE-2025-25305 Home Assistant 安全漏洞 — core 7.0 High2025-02-18
CVE-2025-23222 dde-api-proxy 安全漏洞 — dde-api-proxy 8.4 High2025-01-24
CVE-2024-7322 Silicon Labs EmberZNet 访问控制错误漏洞 — EmberZNet 5.8 Medium2025-01-15
CVE-2024-36506 Fortinet FortiClientEMS 安全漏洞 — FortiClientEMS 3.5 Low2025-01-14
CVE-2025-23019 IPv6-in-IPv4 tunneling 安全漏洞 — IPv6 5.4 Medium2025-01-14
CVE-2025-23018 IPv6-in-IPv4 tunneling 安全漏洞 — IPv6 5.4 Medium2025-01-14
CVE-2024-49579 JetBrains YouTrack 安全漏洞 — YouTrack 8.1 High2024-10-17
CVE-2024-20390 Cisco IOS XR 安全漏洞 — Cisco IOS XR Software 5.3 Medium2024-09-11
CVE-2024-1621 NT-ware uniFLOW Online 安全漏洞 — uniFLOW Online 9.8AICriticalAI2024-09-02
CVE-2024-0009 Palo Alto Networks PAN-OS 安全漏洞 — PAN-OS 6.3 Medium2024-02-14
CVE-2023-51440 Siemens SIMATIC 安全漏洞 — SIMATIC CP 343-1 7.5 High2024-02-13
CVE-2023-48387 TAIWAN-CA(TWCA) JCICSecurityTool 跨站脚本漏洞 — JCICSecurityTool 8.8 High2023-12-15
CVE-2023-41355 Nokia G-040W-Q 安全漏洞 — NOKIA G-040W-Q 9.8 Critical2023-11-03
CVE-2023-41094 Silicon Labs EmberZNet 安全漏洞 — Ember ZNet 10.0 Critical2023-10-04
CVE-2023-3663 CODESYS Development System 数据伪造问题漏洞 — CODESYS Development System 8.8 High2023-08-03
CVE-2022-4848 memos 安全漏洞 — usememos/memos 6.5 -2022-12-29

CWE-940(通信信道源的不正确验证) 是常见的弱点类别,本平台收录该类弱点关联的 32 条 CVE 漏洞。