目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-942 过度许可的跨域白名单 类漏洞列表 64

CWE-942 过度许可的跨域白名单 类弱点 64 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-942属于跨域安全策略配置错误漏洞。当Web应用允许与不受信任的域进行通信时,攻击者可利用该缺陷通过恶意域窃取敏感数据或执行未授权操作。开发者应避免在内容安全策略或跨域策略文件中包含通配符或不可信域名,严格限制允许通信的源,确保仅信任已知且安全的域,从而防止跨域数据泄露。

MITRE CWE 官方描述
CWE:CWE-942 对不受信任域采用宽松跨域安全策略 产品使用了 Web 客户端保护机制,例如内容安全策略(Content Security Policy, CSP)或跨域策略文件,但该策略包含了允许 Web 客户端与之通信的不受信任域。 如果跨域策略文件包含了不应被信任的域,例如在高阶域下使用通配符时,则应用程序可能受到这些不受信任域的攻击。在许多情况下,攻击可以在受害者毫无察觉的情况下发起。
常见影响 (1)
Confidentiality, Integrity, Availability, Access ControlExecute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context
With an overly permissive policy file, an attacker may be able to bypass the web browser's same-origin policy and conduct many of the same attacks seen in Cross-Site Scripting (CWE-79). An attacker can exploit the weakness to transfer private information from the victim's machine to the attacker, ma…
缓解措施 (3)
Architecture and Design, OperationDefine a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Architecture and Design, OperationAvoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
Architecture and Design, OperationFor Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
代码示例 (1)
These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data:
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd"> <allow-access-from domain="*.example.com"/> <allow-access-from domain="*"/> </cross-domain-policy>
Bad · XML
<?xml version="1.0" encoding="utf-8"?> <access-policy> <cross-domain-access> <policy> <allow-from http-request-headers="SOAPAction"> <domain uri="*"/> </allow-from> <grant-to> <resource path="/" include-subpaths="true"/> </grant-to> </policy> </cross-domain-access> </access-policy>
Bad · XML
CVE ID标题CVSS风险等级Published
CVE-2026-10056 Network Optix Nx Witness VMS 安全漏洞 — Nx Witness VMS 7.5 High2026-05-29
CVE-2026-9739 Google MCP Toolbox for Databases 安全漏洞 — MCP Toolbox for Databases--2026-05-27
CVE-2026-46431 algernon 安全漏洞 — algernon 4.3 Medium2026-05-26
CVE-2026-7643 NextChat 访问控制错误漏洞 — NextChat 4.3 Medium2026-05-02
CVE-2026-7581 MeTube 访问控制错误漏洞 — MeTube 4.3 Medium2026-05-01
CVE-2026-41056 WWBN AVideo 安全漏洞 — AVideo 8.1 High2026-04-21
CVE-2026-6662 Copilot API Proxy 安全漏洞 — copilot-api 7.3 High2026-04-20
CVE-2026-6143 CC Switch 安全漏洞 — cc-switch 6.3 Medium2026-04-13
CVE-2026-5302 CoolerControl 安全漏洞 — coolercontrold 6.3 Medium2026-04-08
CVE-2026-33533 glances 安全漏洞 — glances 8.1AIHighAI2026-04-02
CVE-2026-5321 Vanna 安全漏洞 — vanna 4.3 Medium2026-04-02
CVE-2026-34449 SiYuan 安全漏洞 — siyuan 9.7 Critical2026-03-31
CVE-2026-34237 MCP Java SDK 安全漏洞 — java-sdk 6.1 Medium2026-03-31
CVE-2025-55274 HCL Aftermarket DPC 安全漏洞 — Aftermarket DPC 2.6 Low2026-03-26
CVE-2026-33010 mcp-memory-service 安全漏洞 — mcp-memory-service 8.1 High2026-03-20
CVE-2026-33043 WWBN AVideo 安全漏洞 — AVideo 8.1 High2026-03-20
CVE-2026-30924 qui 安全漏洞 — qui 8.8 -2026-03-19
CVE-2026-32610 glances 安全漏洞 — glances 8.1 High2026-03-18
CVE-2026-32617 AnythingLLM 安全漏洞 — anything-llm 7.1 High2026-03-13
CVE-2025-9292 TP-Link Omada Cloud Controller 安全漏洞 — Omada Cloud Controller 7.5AIHighAI2026-02-13
CVE-2026-25478 Litestar 安全漏洞 — litestar 7.4 High2026-02-09
CVE-2025-13984 Drupal Next.js 安全漏洞 — Next.js 6.1AIMediumAI2026-01-28
CVE-2026-24435 Tenda W30E 安全漏洞 — W30E V2 8.1AIHighAI2026-01-26
CVE-2026-1181 Altium Forum 安全漏洞 — Altium 365 9.0 Critical2026-01-19
CVE-2025-62523 PILOS 安全漏洞 — PILOS 6.3 Medium2025-10-27
CVE-2023-37401 IBM Aspera Faspex 安全漏洞 — Aspera Faspex 5.3 Medium2025-10-09
CVE-2025-11304 CodeCanyon Mentor LMS 安全漏洞 — Mentor LMS 6.3 Medium2025-10-05
CVE-2025-41010 Hiberus Sintra 安全漏洞 — Sintra 9.8AICriticalAI2025-10-02
CVE-2020-36851 cors-anywhere 安全漏洞 — Rob--W / cors-anywhere 9.1AICriticalAI2025-09-25
CVE-2025-27909 IBM Concert Software 安全漏洞 — Concert Software 5.4 Medium2025-08-18

CWE-942(过度许可的跨域白名单) 是常见的弱点类别,本平台收录该类弱点关联的 64 条 CVE 漏洞。