Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-450 (UI输入的多重解释) — Vulnerability Class 2

2 vulnerabilities classified as CWE-450 (UI输入的多重解释). AI Chinese analysis included.

CWE-450 represents a logic flaw where an application ambiguously interprets user interface input, often defaulting to a less secure interpretation without explicit user confirmation. Attackers typically exploit this by crafting inputs that trigger unintended behaviors, such as bypassing authentication checks or executing unauthorized commands, by leveraging the system’s assumption of intent. For instance, a web form might accept both numeric and string values for a field, allowing an attacker to inject malicious code if the backend processes the string as executable logic. To mitigate this risk, developers must enforce strict input validation and type checking, ensuring that all user-supplied data is explicitly defined and sanitized before processing. Implementing clear, unambiguous prompts and using allowlists for acceptable inputs further reduces the attack surface, preventing the application from making dangerous assumptions about user intent.

MITRE CWE Description
The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation.
Common Consequences (1)
OtherVaries by Context
Mitigations (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CVE IDTitleCVSSSeverityPublished
CVE-2022-20863 Cisco Webex Meetings App Character Interface Manipulation Vulnerability — Cisco Webex Meetings Desktop App 4.3 Medium2022-09-08
CVE-2021-1242 Cisco Webex Teams Shared File Manipulation Vulnerability — Cisco Webex Teams 4.3 Medium2021-01-13

Vulnerabilities classified as CWE-450 (UI输入的多重解释) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.