Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-451 (关键信息的UI错误表达) — Vulnerability Class 72

72 vulnerabilities classified as CWE-451 (关键信息的UI错误表达). AI Chinese analysis included.

CWE-451 represents a critical interface weakness where the user interface fails to accurately display essential information, allowing attackers to obscure or spoof data sources. This vulnerability is typically exploited in phishing campaigns, where malicious actors manipulate the UI to present fraudulent content that mimics trusted entities, thereby deceiving users into revealing sensitive credentials or executing harmful actions. By creating a false sense of security or urgency, the attacker leverages the user’s trust in the interface design to bypass cognitive safeguards. To prevent this, developers must implement robust input validation and ensure that all UI elements clearly and consistently reflect the true state and source of information. Utilizing standardized security indicators, such as verified domain names in address bars and consistent branding, helps maintain transparency. Additionally, conducting regular usability testing and security audits ensures that the interface remains resilient against deceptive modifications, preserving user trust and system integrity.

MITRE CWE Description
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. UI misrepresentation can take many forms: Incorrect indicator: incorrect information is displayed, which prevents the user from understanding the true state of the product or the environment the product is monitoring, especially of potentially-dangerous conditions or operations. This can be broken down into several different subtypes. Overlay: an area of the display is intended to give critical information, but another process can modify the display by overlaying another element on top of it. The user is not interacting with the expected portion of the user interface. This is the problem that enables clickjacking attacks, although many other types of attacks exist that involve overlay. Icon manipulation: the wrong icon, or the wrong color indicator, can b…
Common Consequences (1)
Non-Repudiation, Access ControlHide Activities, Bypass Protection Mechanism
Mitigations (2)
ImplementationPerform data validation (e.g. syntax, length, etc.) before interpreting the data.
Architecture and DesignCreate a strategy for presenting information, and plan for how to display unusual characters.
CVE IDTitleCVSSSeverityPublished
CVE-2025-21253 Microsoft Edge for IOS and Android Spoofing Vulnerability — Microsoft Edge for Android 5.3 Medium2025-02-06
CVE-2025-0729 TP-Link TL-SG108E clickjacking — TL-SG108E 4.3 Medium2025-01-27
CVE-2025-21262 Microsoft Edge (Chromium-based) Spoofing Vulnerability — Microsoft Edge (Chromium-based) 5.4 Medium2025-01-24
CVE-2025-21314 Windows SmartScreen Spoofing Vulnerability — Windows 10 Version 1607 6.5 Medium2025-01-14
CVE-2024-55896 IBM PowerHA SystemMirror for i clickjacking — i 5.4 Medium2025-01-03
CVE-2020-9236 Huawei FusionCompute 安全漏洞 — FusionCompute 8.8 High2024-12-27
CVE-2024-55889 phpMyFAQ Vulnerable to Unintended File Download Triggered by Embedded Frames — phpMyFAQ 4.9 Medium2024-12-13
CVE-2024-52271 PDF Document Spoofing in Documenso — Documenso 4.3 -2024-12-05
CVE-2024-52270 PDF Document Spoofing in DropBox Sign(HelloSign) — DropBox Sign 4.3 -2024-12-05
CVE-2024-52269 AI Assistant PDF Document Spoofing in DocuSign — DocuSign 3.5 -2024-12-04
CVE-2024-52277 PDF Document Spoofing in DocuSeal — DocuSeal 4.3 -2024-12-04
CVE-2024-52276 PDF Document Spoofing in DocuSign — DocuSign 4.3 -2024-12-04
CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability — Microsoft Exchange Server 2019 Cumulative Update 13 7.5 High2024-11-12
CVE-2024-51749 Element's thumbnails can be abused to misrepresent the content of an attachment — element-web 3.5 Low2024-11-12
CVE-2024-47044 NTT EAST多款产品 安全漏洞 — Hikari Denwa router RT-400MI 8.2AIHighAI2024-09-26
CVE-2024-43461 Windows MSHTML Platform Spoofing Vulnerability — Windows 11 Version 24H2 8.8 High2024-09-10
CVE-2024-38197 Microsoft Teams for iOS Spoofing Vulnerability — Microsoft Teams for iOS 6.5 Medium2024-08-13
CVE-2024-6595 Uncontrolled Search Path Element in GitLab — GitLab 3.0 Low2024-07-17
CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability — Windows 10 Version 22H2 7.5 High2024-07-09
CVE-2024-38093 Microsoft Edge (Chromium-based) Spoofing Vulnerability — Microsoft Edge (Chromium-based) 4.3 Medium2024-06-20
CVE-2024-38082 Microsoft Edge (Chromium-based) Spoofing Vulnerability — Microsoft Edge (Chromium-based) 4.7 Medium2024-06-20
CVE-2024-30055 Microsoft Edge (Chromium-based) Spoofing Vulnerability — Microsoft Edge (Chromium-based) 5.4 Medium2024-05-10
CVE-2023-50938 IBM PowerSC clickjacking — PowerSC 6.5 Medium2024-02-02
CVE-2022-39258 mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI — mailcow-dockerized 8.1 High2022-09-27
CVE-2022-2800 SourceCodester Gym Management System clickjacking — Gym Management System 4.3 Medium2022-08-12
CVE-2021-27773 HCL Sametime is vulnerable to clickjacking — Sametime 4.2 Medium2022-05-12
CVE-2021-27414 User interface misrepresentation of critical information in Hitachi ABB Power Grids Ellipse EAM — Ellipse Enterprise Asset Management (EAM) 5.5 Medium2022-03-11
CVE-2022-23646 Improper CSP in Image Optimization API for Next.js — next.js 5.9 Medium2022-02-17
CVE-2021-41598 UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user — GitHub Enterprise Server 8.8 -2022-01-25
CVE-2021-33593 Naver Whale Browser 安全漏洞 — NAVER Whale browser 5.3 -2021-11-02

Vulnerabilities classified as CWE-451 (关键信息的UI错误表达) represent 72 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.