CVEbaza.plSłownik CWECWE-451
Common Weakness Enumeration

CWE-451

User Interface (UI) Misrepresentation of Critical Information

Kategoria: ClassCVE: 303
Opis

Interfejs użytkownika nie przedstawia prawidłowo informacji krytycznych, co pozwala na ich ukrycie lub sfałszowanie źródła. Jest to często element ataków phishingowych.

Description (EN)

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

Podatności CVE z CWE-451 (303)
9.8
CVSS
CRITICAL
CVE-2026-2634

Podatność w Firefox dla iOS umożliwia złośliwym skryptom desynchronizację paska adresu z rzeczywistą zawartością strony przed otrzymaniem odpowiedzi. W efekcie strony kontrolowane przez atakującego mogą być prezentowane użytkownikowi pod sfałszowaną nazwą domeny.

pub. 2026-02-24
9.8
CVSS
CRITICAL
CVE-2026-0906

Podatność w Google Chrome na Androida umożliwia zdalnemu atakującemu podrobienie zawartości paska adresu URL (Omnibox) poprzez spreparowaną stronę HTML. Mimo wysokiej oceny CVSS, producent klasyfikuje podatność jako niską z perspektywy bezpieczeństwa Chromium.

pub. 2026-01-20
9.8
CVSS
CRITICAL
CVE-2026-0907

Podatność w funkcji Split View przeglądarki Google Chrome umożliwia zdalnemu atakującemu przeprowadzenie ataku UI spoofing poprzez spreparowaną stronę HTML. Mimo przypisanej oceny CVSS 9.8 (CRITICAL), producent sklasyfikował podatność jako niską pod względem rzeczywistego zagrożenia bezpieczeństwa.

pub. 2026-01-20
9.8
CVSS
CRITICAL
CVE-2025-8043

Komponent Focus w Mozilla Firefox nieprawidłowo obcinał wyświetlany adres URL od początku zamiast wokół źródła (origin). Może to prowadzić do wprowadzenia użytkownika w błąd co do rzeczywistej odwiedzanej strony, co stanowi poważne zagrożenie dla bezpieczeństwa.

pub. 2025-07-22
8.8
CVSS
HIGH
CVE-2026-11172

Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

pub. 2026-06-04
8.8
CVSS
HIGH
CVE-2026-11175

Incorrect security UI in Messages in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

pub. 2026-06-04
8.8
CVSS
HIGH
CVE-2025-31951

HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.

pub. 2026-05-06
8.8
CVSS
HIGH
CVE-2020-9236

There is an improper interface design vulnerability in Huawei product. A module interface of the impated product does not deal with some operations properly. Attackers can exploit this vulnerability to perform malicious operatation to compromise module service. (Vulnerability ID: HWPSIRT-2020-05010) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9236.

pub. 2024-12-27
8.8
CVSS
HIGH
CVE-2024-43461

Windows MSHTML Platform Spoofing Vulnerability

pub. 2024-09-10🚩 CISA KEV⚡ EXPLOIT
8.8
CVSS
HIGH
CVE-2024-0750

A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. This vulnerability affects Firefox < 122, Firefox ESR < 115.7, and Thunderbird < 115.7.

pub. 2024-01-23
8.8
CVSS
HIGH
CVE-2021-41598

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but if the user later updated the set of repositories the app was installed on after the GitHub App had configured additional user-level permissions, those additional permissions would not be displayed, leading to more permissions being granted than the user potentially intended. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.2.5, 3.1.13, 3.0.21. This vulnerability was reported via the GitHub Bug Bounty program.

pub. 2022-01-25
8.8
CVSS
HIGH
CVE-2021-22866

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability was reported via the GitHub Bug Bounty program.

pub. 2021-05-14
8.6
CVSS
HIGH
CVE-2019-25718

Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog interaction. Attackers can exploit this kiosk escape to take control of the operating system and cause the device to display incorrect or no information from the connected Delta Family patient monitor.

pub. 2026-06-01
8.5
CVSS
HIGH
CVE-2026-53829

OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval.

pub. 2026-06-12
8.2
CVSS
HIGH
CVE-2024-52270

User Interface (UI) Misrepresentation of Critical Information vulnerability in DropBox Sign(HelloSign) allows Content Spoofing. Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DropBox Sign(HelloSign): through 2024-12-04.

pub. 2024-12-05
8.2
CVSS
HIGH
CVE-2024-52271

User Interface (UI) Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects Documenso: through 1.8.0, >1.8.0 and Documenso SaaS (Hosted) as of 2024-12-05.

pub. 2024-12-05
8.2
CVSS
HIGH
CVE-2024-52269

User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. The SaaS AI assistant ignores hidden content that is rendered after signing, misleading the user. For reference see: CVE-2024-52276 This issue affects DocuSign: through 2024-12-04.

pub. 2024-12-04
8.2
CVSS
HIGH
CVE-2024-52276

User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. 1. Displayed version does not show the layer flattened version, which is provided when the "Print" option is used. 2. Displayed version does not show the layer flattened version, which is provided when the combined download option is used. 3. Displayed version does not show the layer flattened version, which is also the provided version when downloading the result in the uncombined option. Once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DocuSign: through 2024-12-04.

pub. 2024-12-04
8.2
CVSS
HIGH
CVE-2024-52277

User Interface (UI) Misrepresentation of Critical Information vulnerability in DocuSeal allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. This issue affects DocuSeal: through 1.8.1, >1.8.1.

pub. 2024-12-04
8.1
CVSS
HIGH
CVE-2025-11720

The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.

pub. 2025-10-14
Pokazano 20 z 303 podatności
Informacje
ID: CWE-451
Typ: Class
Podatności: 303
MITRE CWE ↗
← Słownik CWE
CWE-451 — Błędna reprezentacja informacji krytycznych w interfejsie użytkownika | Słownik CWE | CVEbaza.pl