VYPR

CWE-356

Product UI does not Warn User of Unsafe Actions

BaseIncomplete

Description

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

Product systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application's GUI can indicate that the file is unsafe.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (5)

  • CVE-2025-3909HigMay 14, 2025
    risk 0.53cvss 8.1epss 0.00

    Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as…

  • CVE-2025-3839HigJan 23, 2026
    risk 0.52cvss 8.0epss 0.00

    A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly…

  • CVE-2026-0777HigFeb 20, 2026
    risk 0.51cvss 7.8epss 0.00

    Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction is required to exploit this vulnerability in that the target must visit a…

  • CVE-2018-10595MedMay 24, 2018
    risk 0.41cvss 6.3epss 0.00

    A vulnerability in ReadA version 1.1.0.2 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in loss or corruption of data.

  • CVE-2018-10593MedMay 24, 2018
    risk 0.36cvss 5.6epss 0.00

    A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may…