CVEbaza.plCWE DictionaryCWE-357
Common Weakness Enumeration

CWE-357

Insufficient UI Warning of Dangerous Operations

Category: BaseCVE: 20
Description

The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.

CVE vulnerabilities with CWE-357 (20)
8.6
CVSS
HIGH
CVE-2025-49582

XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0.

pub. 2025-06-13
8.6
CVSS
HIGH
CVE-2025-49585

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

pub. 2025-06-13
8.1
CVSS
HIGH
CVE-2025-33054

Insufficient UI warning of dangerous operations in Remote Desktop Client allows an unauthorized attacker to perform spoofing over a network.

pub. 2025-07-08
7.8
CVSS
HIGH
CVE-2024-43505

Microsoft Office Visio Remote Code Execution Vulnerability

pub. 2024-10-08
7.8
CVSS
HIGH
CVE-2021-22645

Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to an attack because the .bip documents display a “load” command, which can be pointed to a .dll from a remote network share. As a result, the .dll entry point can be executed without sufficient UI warning.

pub. 2021-02-23
7.8
CVSS
HIGH
CVE-2019-13521

A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities.

pub. 2020-01-27
7.1
CVSS
HIGH
CVE-2026-26151

Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.

pub. 2026-04-14
6.4
CVSS
MEDIUM
CVE-2025-49587

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

pub. 2025-06-13
6.4
CVSS
MEDIUM
CVE-2022-41904

Element iOS is an iOS Matrix client provided by Element. It is based on MatrixSDK. Prior to version 1.9.7, events encrypted using Megolm for which trust could not be established did not get decorated accordingly (with warning shields). Therefore a malicious homeserver could inject messages into the room without the user being alerted that the messages were not sent by a verified group member, even if the user has previously verified all group members. This issue has been patched in Element iOS 1.9.7. There are currently no known workarounds.

pub. 2022-11-11
5.4
CVSS
MEDIUM
CVE-2024-43580

Microsoft Edge (Chromium-based) Spoofing Vulnerability

pub. 2024-10-17
5.4
CVSS
MEDIUM
CVE-2024-30058

Microsoft Edge (Chromium-based) Spoofing Vulnerability

pub. 2024-06-13
5.3
CVSS
MEDIUM
CVE-2024-21387

Microsoft Edge for Android Spoofing Vulnerability

pub. 2024-01-26
5.1
CVSS
MEDIUM
CVE-2025-49583

XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

pub. 2025-06-13
4.7
CVSS
MEDIUM
CVE-2025-47967

Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

pub. 2025-09-16
4.6
CVSS
MEDIUM
CVE-2026-47782

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification.

pub. 2026-05-20
4.3
CVSS
MEDIUM
CVE-2026-58597

Insufficient ui warning of dangerous operations in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

pub. 2026-07-03
4.3
CVSS
MEDIUM
CVE-2024-49054

Microsoft Edge (Chromium-based) Spoofing Vulnerability

pub. 2024-11-22
4.3
CVSS
MEDIUM
CVE-2024-29057

Microsoft Edge (Chromium-based) Spoofing Vulnerability

pub. 2024-03-22
4.3
CVSS
MEDIUM
CVE-2024-26188

Microsoft Edge (Chromium-based) Spoofing Vulnerability

pub. 2024-02-23
2.5
CVSS
LOW
CVE-2024-21336

Microsoft Edge (Chromium-based) Spoofing Vulnerability

pub. 2024-01-26
Information
ID: CWE-357
Type: Base
Vulnerabilities: 20
MITRE CWE ↗
← CWE Dictionary