Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-451 (关键信息的UI错误表达) — Vulnerability Class 72

72 vulnerabilities classified as CWE-451 (关键信息的UI错误表达). AI Chinese analysis included.

CWE-451 represents a critical interface weakness where the user interface fails to accurately display essential information, allowing attackers to obscure or spoof data sources. This vulnerability is typically exploited in phishing campaigns, where malicious actors manipulate the UI to present fraudulent content that mimics trusted entities, thereby deceiving users into revealing sensitive credentials or executing harmful actions. By creating a false sense of security or urgency, the attacker leverages the user’s trust in the interface design to bypass cognitive safeguards. To prevent this, developers must implement robust input validation and ensure that all UI elements clearly and consistently reflect the true state and source of information. Utilizing standardized security indicators, such as verified domain names in address bars and consistent branding, helps maintain transparency. Additionally, conducting regular usability testing and security audits ensures that the interface remains resilient against deceptive modifications, preserving user trust and system integrity.

MITRE CWE Description
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. UI misrepresentation can take many forms: Incorrect indicator: incorrect information is displayed, which prevents the user from understanding the true state of the product or the environment the product is monitoring, especially of potentially-dangerous conditions or operations. This can be broken down into several different subtypes. Overlay: an area of the display is intended to give critical information, but another process can modify the display by overlaying another element on top of it. The user is not interacting with the expected portion of the user interface. This is the problem that enables clickjacking attacks, although many other types of attacks exist that involve overlay. Icon manipulation: the wrong icon, or the wrong color indicator, can b…
Common Consequences (1)
Non-Repudiation, Access ControlHide Activities, Bypass Protection Mechanism
Mitigations (2)
ImplementationPerform data validation (e.g. syntax, length, etc.) before interpreting the data.
Architecture and DesignCreate a strategy for presenting information, and plan for how to display unusual characters.
CVE IDTitleCVSSSeverityPublished
CVE-2021-22866 UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user resources — GitHub Enterprise Server 8.8 -2021-05-14
CVE-2020-7370 Danyil Vasilenko Bolt Browser Address Bar Spooofing — Bolt Browser 4.3 Medium2020-10-20
CVE-2020-7371 Raise IT Solutions RITS Browser Address Bar Spooofing — RITS Browser 4.3 Medium2020-10-20
CVE-2020-7369 Yandex Browser Address Bar Spooofing — Yandex Browser 4.3 Medium2020-10-20
CVE-2020-7364 UCWeb UC Browser Address Bar Spooofing — UC Browser 4.3 Medium2020-10-20
CVE-2020-7363 UCWeb UC Browser Address Bar Spooofing — UC Browser 4.3 Medium2020-10-20
CVE-2020-10775 ovirt-engine 输入验证错误漏洞 — ovirt-engine 4.7 -2020-08-24
CVE-2017-0888 Nextcloud Server 安全漏洞 — Nextcloud Server 4.3 -2017-04-05
CVE-2016-9460 Nextcloud Server和ownCloud Server 安全漏洞 — Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 5.3 -2017-03-28
CVE-2016-9473 Brave Browser iOS和Brave Browser Android 安全漏洞 — Brave Software Brave Browser iOS before 1.2.18 and Brave Browser Android 1.9.56 and earlier 4.7 -2017-03-28
CVE-2016-9468 Nextcloud Server和ownCloud Server 安全漏洞 — Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 5.3 -2017-03-28
CVE-2016-9467 Nextcloud Server和ownCloud Server 安全漏洞 — Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 5.3 -2017-03-28

Vulnerabilities classified as CWE-451 (关键信息的UI错误表达) represent 72 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.