CWE-451
User Interface (UI) Misrepresentation of Critical Information
ClassDraft
Description
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-154 · CAPEC-163 · CAPEC-164 · CAPEC-173 · CAPEC-98
CVEs mapped to this weakness (68)
page 4 of 4| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-30467 | Med | 0.28 | 4.3 | 0.00 | Mar 31, 2025 | The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, watchOS 11.4. Visiting a malicious website may lead to address bar spoofing. | |
| CVE-2025-0729 | Med | 0.28 | 4.3 | 0.00 | Jan 27, 2025 | A vulnerability was found in TP-Link TL-SG108E 1.0.0 Build 20201208 Rel. 40304. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to clickjacking. The attack may be initiated remotely. Upgrading to version 1.0.0 Build 20250124 Rel. 54920(Beta) is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early. They reacted very professional and provided a pre-fix version for their customers. | |
| CVE-2017-0888 | Med | 0.28 | 4.3 | 0.01 | Apr 5, 2017 | Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information. | |
| CVE-2026-8584 | Med | 0.27 | 4.2 | 0.00 | May 14, 2026 | Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |
| CVE-2026-8564 | Med | 0.27 | 4.2 | 0.00 | May 14, 2026 | Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |
| CVE-2026-35371 | Low | 0.21 | 3.3 | 0.00 | Apr 22, 2026 | The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleading diagnostic output that can cause automated scripts or system administrators to make incorrect decisions regarding file permissions or access control. | |
| CVE-2024-51749 | Low | 0.16 | 3.5 | 0.00 | Nov 12, 2024 | Element is a Matrix web client built using the Matrix React SDK. Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked. Fixed in element-web 1.11.85. | |
| CVE-2025-43712 | Low | 0.12 | 2.9 | 0.00 | Jul 25, 2025 | JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application). |