CWE-451
User Interface (UI) Misrepresentation of Critical Information
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
CVE-2020-7371 (GCVE-0-2020-7371)
Vulnerability from cvelistv5 – Published: 2020-10-20 16:40 – Updated: 2024-09-16 22:50
VLAI
Title
Raise IT Solutions RITS Browser Address Bar Spooofing
Summary
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser version 3.3.9 and prior versions.
Severity
4.3 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.rafaybaloch.com/2020/10/multiple-addr… | x_refsource_MISC |
| https://blog.rapid7.com/2020/10/20/vulntober-mult… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Raise IT Solutions | RITS Browser |
Affected:
3.3.9 , ≤ 3.3.9
(custom)
|
Date Public
2020-10-20 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:25:48.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "RITS Browser",
"vendor": "Raise IT Solutions",
"versions": [
{
"lessThanOrEqual": "3.3.9",
"status": "affected",
"version": "3.3.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7\u0027s coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"datePublic": "2020-10-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser version 3.3.9 and prior versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-20T16:40:24.000Z",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Raise IT Solutions RITS Browser Address Bar Spooofing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2020-10-20T13:00:00.000Z",
"ID": "CVE-2020-7371",
"STATE": "PUBLIC",
"TITLE": "Raise IT Solutions RITS Browser Address Bar Spooofing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "RITS Browser",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.3.9",
"version_value": "3.3.9"
}
]
}
}
]
},
"vendor_name": "Raise IT Solutions"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Rafay Baloch, and disclosed in accordance with Rapid7\u0027s coordinated vulnerability disclosure policy at https://www.rapid7.com/security/disclosure#zeroday"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser version 3.3.9 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html",
"refsource": "MISC",
"url": "https://www.rafaybaloch.com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html"
},
{
"name": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2020/10/20/vulntober-multiple-mobile-browser-address-bar-spoofing-vulnerabilities/"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2020-7371",
"datePublished": "2020-10-20T16:40:25.065Z",
"dateReserved": "2020-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:50:27.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-9236 (GCVE-0-2020-9236)
Vulnerability from cvelistv5 – Published: 2024-12-27 09:52 – Updated: 2024-12-27 14:58
VLAI
Summary
There is an improper interface design vulnerability in Huawei product. A module interface of the impated product does not deal with some operations properly. Attackers can exploit this vulnerability to perform malicious operatation to compromise module service. (Vulnerability ID: HWPSIRT-2020-05010)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9236.
Severity
8.8 (High)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Huawei | FusionCompute |
Affected:
8.0.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-9236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-27T14:58:06.538457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-27T14:58:20.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FusionCompute",
"vendor": "Huawei",
"versions": [
{
"status": "affected",
"version": "8.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThere is an improper interface design vulnerability in Huawei product. A module interface of the impated product does not deal with some operations properly. Attackers can exploit this vulnerability to perform malicious operatation to compromise module service. (Vulnerability ID: HWPSIRT-2020-05010)\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9236.\u003c/p\u003e"
}
],
"value": "There is an improper interface design vulnerability in Huawei product. A module interface of the impated product does not deal with some operations properly. Attackers can exploit this vulnerability to perform malicious operatation to compromise module service. (Vulnerability ID: HWPSIRT-2020-05010)\n\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9236."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-27T09:52:11.426Z",
"orgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"shortName": "huawei"
},
"references": [
{
"url": "https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200812-01-fc-en"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "25ac1063-e409-4190-8079-24548c77ea2e",
"assignerShortName": "huawei",
"cveId": "CVE-2020-9236",
"datePublished": "2024-12-27T09:52:11.426Z",
"dateReserved": "2020-02-18T00:00:00.000Z",
"dateUpdated": "2024-12-27T14:58:20.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22866 (GCVE-0-2021-22866)
Vulnerability from cvelistv5 – Published: 2021-05-14 21:10 – Updated: 2024-08-03 18:51
VLAI
Title
UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user resources
Summary
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability was reported via the GitHub Bug Bounty program.
Severity
No CVSS data available.
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://docs.github.com/en/enterprise-server%403.… | x_refsource_MISC |
| https://docs.github.com/en/enterprise-server%402.… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GitHub | GitHub Enterprise Server |
Affected:
3.0 , < 3.0.7
(custom)
Affected: 2.22 , < 2.22.13 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitHub Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"lessThan": "3.0.7",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "2.22.13",
"status": "affected",
"version": "2.22",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vaibhav Singh (vaib25vicky)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App\u0027s user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-14T21:10:12.000Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.github.com/en/enterprise-server%402.22/admin/release-notes#2.22.13"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user resources",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "product-cna@github.com",
"ID": "CVE-2021-22866",
"STATE": "PUBLIC",
"TITLE": "UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user resources"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitHub Enterprise Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0",
"version_value": "3.0.7"
},
{
"version_affected": "\u003c",
"version_name": "2.22",
"version_value": "2.22.13"
}
]
}
}
]
},
"vendor_name": "GitHub"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vaibhav Singh (vaib25vicky)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App\u0027s user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability was reported via the GitHub Bug Bounty program."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.7",
"refsource": "MISC",
"url": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.7"
},
{
"name": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.13",
"refsource": "MISC",
"url": "https://docs.github.com/en/enterprise-server@2.22/admin/release-notes#2.22.13"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2021-22866",
"datePublished": "2021-05-14T21:10:12.000Z",
"dateReserved": "2021-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:51:07.627Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27414 (GCVE-0-2021-27414)
Vulnerability from cvelistv5 – Published: 2022-03-11 17:54 – Updated: 2025-04-16 16:43
VLAI
Title
User interface misrepresentation of critical information in Hitachi ABB Power Grids Ellipse EAM
Summary
An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials.
Severity
5.5 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.cisa.gov/uscert/ics/advisories/icsa-2… | x_refsource_CONFIRM |
| https://search.abb.com/library/Download.aspx?Docu… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi ABB Power Grids | Ellipse Enterprise Asset Management (EAM) |
Affected:
unspecified , ≤ 9.0.25
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:48:16.843Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-061-01"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A7777\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-27414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T15:55:39.882978Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T16:43:12.665Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ellipse Enterprise Asset Management (EAM)",
"vendor": "Hitachi ABB Power Grids",
"versions": [
{
"lessThanOrEqual": "9.0.25",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Hitachi ABB Power Grids reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-11T17:54:00.000Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-061-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A7777\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"solutions": [
{
"lang": "en",
"value": "Hitachi ABB Power Grids recommends users apply the update as soon as they are able. Ellipse EAM Version 9.0.23 fixes one of the vulnerabilities, and Ellipse EAM Version 9.0.26 fixes both.\n\nHitachi ABB Power Grids published cybersecurity advisory PGVU-PGGA-Ellipse-202027 to give users more information about this issue."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "User interface misrepresentation of critical information in Hitachi ABB Power Grids Ellipse EAM",
"workarounds": [
{
"lang": "en",
"value": "Hitachi ABB Power Grids recommends following security best practices and firewall configurations to help protect a process control network from attacks originating from an outside the network. Such practices include:\n\n Ensure critical applications and systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall.\n Firewalls should be configured to have the minimum number of ports exposed and open ports should be justified and documented.\n Critical systems should not be used for Internet surfing, instant messaging, or receiving e-mails.\n Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n It is important to implement robust security awareness training to ensure users are able to identify common attacks or content such as phishing emails or malicious web pages.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2021-27414",
"STATE": "PUBLIC",
"TITLE": "User interface misrepresentation of critical information in Hitachi ABB Power Grids Ellipse EAM"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Ellipse Enterprise Asset Management (EAM)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "9.0.25"
}
]
}
}
]
},
"vendor_name": "Hitachi ABB Power Grids"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Hitachi ABB Power Grids reported these vulnerabilities to CISA."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-061-01",
"refsource": "CONFIRM",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-061-01"
},
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A7777\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK107991A7777\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"solution": [
{
"lang": "en",
"value": "Hitachi ABB Power Grids recommends users apply the update as soon as they are able. Ellipse EAM Version 9.0.23 fixes one of the vulnerabilities, and Ellipse EAM Version 9.0.26 fixes both.\n\nHitachi ABB Power Grids published cybersecurity advisory PGVU-PGGA-Ellipse-202027 to give users more information about this issue."
}
],
"source": {
"discovery": "INTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Hitachi ABB Power Grids recommends following security best practices and firewall configurations to help protect a process control network from attacks originating from an outside the network. Such practices include:\n\n Ensure critical applications and systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall.\n Firewalls should be configured to have the minimum number of ports exposed and open ports should be justified and documented.\n Critical systems should not be used for Internet surfing, instant messaging, or receiving e-mails.\n Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.\n It is important to implement robust security awareness training to ensure users are able to identify common attacks or content such as phishing emails or malicious web pages.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2021-27414",
"datePublished": "2022-03-11T17:54:00.000Z",
"dateReserved": "2021-02-19T00:00:00.000Z",
"dateUpdated": "2025-04-16T16:43:12.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27773 (GCVE-0-2021-27773)
Vulnerability from cvelistv5 – Published: 2022-05-12 21:25 – Updated: 2024-09-16 23:56
VLAI
Title
HCL Sametime is vulnerable to clickjacking
Summary
This vulnerability allows users to execute a clickjacking attack in the meeting's chat.
Severity
4.2 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://support.hcltechsw.com/csm?id=kb_article&s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HCL Software | Sametime |
Affected:
11.6
|
Date Public
2022-04-15 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:10.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097430"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sametime",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "11.6"
}
]
}
],
"datePublic": "2022-04-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows users to execute a clickjacking attack in the meeting\u0027s chat."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-12T21:25:29.000Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097430"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL Sametime is vulnerable to clickjacking",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@hcl.com",
"DATE_PUBLIC": "2022-04-15T00:00:00.000Z",
"ID": "CVE-2021-27773",
"STATE": "PUBLIC",
"TITLE": "HCL Sametime is vulnerable to clickjacking"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sametime",
"version": {
"version_data": [
{
"version_value": "11.6"
}
]
}
}
]
},
"vendor_name": "HCL Software"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows users to execute a clickjacking attack in the meeting\u0027s chat."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097430",
"refsource": "MISC",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097430"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2021-27773",
"datePublished": "2022-05-12T21:25:29.915Z",
"dateReserved": "2021-02-26T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:56:30.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33593 (GCVE-0-2021-33593)
Vulnerability from cvelistv5 – Published: 2021-11-02 06:20 – Updated: 2024-08-03 23:50
VLAI
Summary
Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar spoofing.
Severity
No CVSS data available.
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://cve.naver.com/detail/cve-2021-43059 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NAVER | NAVER Whale browser |
Affected:
unspecified , < 1.14.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:50:43.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cve.naver.com/detail/cve-2021-43059"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "NAVER Whale browser",
"vendor": "NAVER",
"versions": [
{
"lessThan": "1.14.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "YoKo Kho from Telkom Indonesia"
}
],
"descriptions": [
{
"lang": "en",
"value": "Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar spoofing."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-02T06:20:09.000Z",
"orgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"shortName": "naver"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cve.naver.com/detail/cve-2021-43059"
}
],
"source": {
"discovery": "EXTERNAL"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@navercorp.com",
"ID": "CVE-2021-33593",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NAVER Whale browser",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1.14.0"
}
]
}
}
]
},
"vendor_name": "NAVER"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "YoKo Kho from Telkom Indonesia"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Whale browser for iOS before 1.14.0 has an inconsistent user interface issue that allows an attacker to obfuscate the address bar which may lead to address bar spoofing."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cve.naver.com/detail/cve-2021-43059",
"refsource": "CONFIRM",
"url": "https://cve.naver.com/detail/cve-2021-43059"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f9629fae-ca2e-4fbf-9785-3ed86476aef6",
"assignerShortName": "naver",
"cveId": "CVE-2021-33593",
"datePublished": "2021-11-02T06:20:09.000Z",
"dateReserved": "2021-05-27T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:50:43.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41598 (GCVE-0-2021-41598)
Vulnerability from cvelistv5 – Published: 2022-01-25 19:45 – Updated: 2024-08-04 03:15
VLAI
Title
UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user
Summary
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but if the user later updated the set of repositories the app was installed on after the GitHub App had configured additional user-level permissions, those additional permissions would not be displayed, leading to more permissions being granted than the user potentially intended. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.2.5, 3.1.13, 3.0.21. This vulnerability was reported via the GitHub Bug Bounty program.
Severity
No CVSS data available.
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://docs.github.com/en/enterprise-server%403.… | x_refsource_MISC |
| https://docs.github.com/en/enterprise-server%403.… | x_refsource_MISC |
| https://docs.github.com/en/enterprise-server%403.… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| GitHub | GitHub Enterprise Server |
Affected:
3.0 , < 3.0.21
(custom)
Affected: 3.1 , < 3.1.13 (custom) Affected: 3.2 , < 3.2.5 (custom) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:15:29.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.21"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server%403.1/admin/release-notes#3.1.13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.github.com/en/enterprise-server%403.2/admin/release-notes#3.2.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "GitHub Enterprise Server",
"vendor": "GitHub",
"versions": [
{
"lessThan": "3.0.21",
"status": "affected",
"version": "3.0",
"versionType": "custom"
},
{
"lessThan": "3.1.13",
"status": "affected",
"version": "3.1",
"versionType": "custom"
},
{
"lessThan": "3.2.5",
"status": "affected",
"version": "3.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vaibhav Singh (vaib25vicky)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App\u0027s user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but if the user later updated the set of repositories the app was installed on after the GitHub App had configured additional user-level permissions, those additional permissions would not be displayed, leading to more permissions being granted than the user potentially intended. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.2.5, 3.1.13, 3.0.21. This vulnerability was reported via the GitHub Bug Bounty program."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-25T19:45:12.000Z",
"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"shortName": "GitHub_P"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.github.com/en/enterprise-server%403.0/admin/release-notes#3.0.21"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.github.com/en/enterprise-server%403.1/admin/release-notes#3.1.13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.github.com/en/enterprise-server%403.2/admin/release-notes#3.2.5"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "product-cna@github.com",
"ID": "CVE-2021-41598",
"STATE": "PUBLIC",
"TITLE": "UI misrepresentation of granted permissions in GitHub Enterprise Server leading to unauthorized access to user"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "GitHub Enterprise Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.0",
"version_value": "3.0.21"
},
{
"version_affected": "\u003c",
"version_name": "3.1",
"version_value": "3.1.13"
},
{
"version_affected": "\u003c",
"version_name": "3.2",
"version_value": "3.2.5"
}
]
}
}
]
},
"vendor_name": "GitHub"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vaibhav Singh (vaib25vicky)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App\u0027s user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but if the user later updated the set of repositories the app was installed on after the GitHub App had configured additional user-level permissions, those additional permissions would not be displayed, leading to more permissions being granted than the user potentially intended. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.3 and was fixed in versions 3.2.5, 3.1.13, 3.0.21. This vulnerability was reported via the GitHub Bug Bounty program."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.21",
"refsource": "MISC",
"url": "https://docs.github.com/en/enterprise-server@3.0/admin/release-notes#3.0.21"
},
{
"name": "https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.13",
"refsource": "MISC",
"url": "https://docs.github.com/en/enterprise-server@3.1/admin/release-notes#3.1.13"
},
{
"name": "https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.5",
"refsource": "MISC",
"url": "https://docs.github.com/en/enterprise-server@3.2/admin/release-notes#3.2.5"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760",
"assignerShortName": "GitHub_P",
"cveId": "CVE-2021-41598",
"datePublished": "2022-01-25T19:45:12.000Z",
"dateReserved": "2021-09-24T00:00:00.000Z",
"dateUpdated": "2024-08-04T03:15:29.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23646 (GCVE-0-2022-23646)
Vulnerability from cvelistv5 – Published: 2022-02-17 20:35 – Updated: 2025-04-23 19:02
VLAI
Title
Improper CSP in Image Optimization API for Next.js
Summary
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default.
Severity
5.9 (Medium)
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/vercel/next.js/security/adviso… | x_refsource_CONFIRM |
| https://github.com/vercel/next.js/pull/34075 | x_refsource_MISC |
| https://github.com/vercel/next.js/releases/tag/v12.1.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vercel/next.js/pull/34075"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vercel/next.js/releases/tag/v12.1.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23646",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:10:23.654047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:02:50.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "next.js",
"vendor": "vercel",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 12.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-17T20:35:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vercel/next.js/pull/34075"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vercel/next.js/releases/tag/v12.1.0"
}
],
"source": {
"advisory": "GHSA-fmvm-x8mv-47mj",
"discovery": "UNKNOWN"
},
"title": "Improper CSP in Image Optimization API for Next.js",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23646",
"STATE": "PUBLIC",
"TITLE": "Improper CSP in Image Optimization API for Next.js"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "next.js",
"version": {
"version_data": [
{
"version_value": "\u003e= 10.0.0, \u003c 12.1.0"
}
]
}
}
]
},
"vendor_name": "vercel"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the `next.config.js` file must have an `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change `next.config.js` to use a different `loader configuration` other than the default."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj",
"refsource": "CONFIRM",
"url": "https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj"
},
{
"name": "https://github.com/vercel/next.js/pull/34075",
"refsource": "MISC",
"url": "https://github.com/vercel/next.js/pull/34075"
},
{
"name": "https://github.com/vercel/next.js/releases/tag/v12.1.0",
"refsource": "MISC",
"url": "https://github.com/vercel/next.js/releases/tag/v12.1.0"
}
]
},
"source": {
"advisory": "GHSA-fmvm-x8mv-47mj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23646",
"datePublished": "2022-02-17T20:35:12.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:02:50.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2800 (GCVE-0-2022-2800)
Vulnerability from cvelistv5 – Published: 2022-08-12 19:45 – Updated: 2025-04-15 13:51
VLAI
Title
SourceCodester Gym Management System clickjacking
Summary
A vulnerability, which was classified as problematic, has been found in SourceCodester Gym Management System. Affected by this issue is some unknown functionality. The manipulation leads to clickjacking. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-206246 is the identifier assigned to this vulnerability.
Severity
4.3 (Medium)
CWE
- CWE-451 - Clickjacking
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Blythe-LU/Record4/blob/main/Gy… | x_refsource_MISC |
| https://vuldb.com/?id.206246 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Gym Management System |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:04.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Blythe-LU/Record4/blob/main/Gym%20management%20system%20project%20-%20ClickJacking%20exists%20on%20multiple%20pages.md"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://vuldb.com/?id.206246"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-2800",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:01:14.936171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:51:01.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Gym Management System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in SourceCodester Gym Management System. Affected by this issue is some unknown functionality. The manipulation leads to clickjacking. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-206246 is the identifier assigned to this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451 Clickjacking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-12T19:45:33.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Blythe-LU/Record4/blob/main/Gym%20management%20system%20project%20-%20ClickJacking%20exists%20on%20multiple%20pages.md"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://vuldb.com/?id.206246"
}
],
"title": "SourceCodester Gym Management System clickjacking",
"x_generator": "vuldb.com",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@vuldb.com",
"ID": "CVE-2022-2800",
"REQUESTER": "cna@vuldb.com",
"STATE": "PUBLIC",
"TITLE": "SourceCodester Gym Management System clickjacking"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Gym Management System",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "SourceCodester"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability, which was classified as problematic, has been found in SourceCodester Gym Management System. Affected by this issue is some unknown functionality. The manipulation leads to clickjacking. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-206246 is the identifier assigned to this vulnerability."
}
]
},
"generator": "vuldb.com",
"impact": {
"cvss": {
"baseScore": "4.3",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451 Clickjacking"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/Blythe-LU/Record4/blob/main/Gym%20management%20system%20project%20-%20ClickJacking%20exists%20on%20multiple%20pages.md",
"refsource": "MISC",
"url": "https://github.com/Blythe-LU/Record4/blob/main/Gym%20management%20system%20project%20-%20ClickJacking%20exists%20on%20multiple%20pages.md"
},
{
"name": "https://vuldb.com/?id.206246",
"refsource": "MISC",
"url": "https://vuldb.com/?id.206246"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2022-2800",
"datePublished": "2022-08-12T19:45:33.000Z",
"dateReserved": "2022-08-12T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:51:01.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39258 (GCVE-0-2022-39258)
Vulnerability from cvelistv5 – Published: 2022-09-27 15:10 – Updated: 2025-04-22 17:20
VLAI
Title
mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI
Summary
mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server.
Severity
8.1 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/pull/4766 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2022-09
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/pull/4766"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39258",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:17.641973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:20:10.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2022-09"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "CWE-451: User Interface (UI) Misrepresentation of Critical Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-27T15:10:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/pull/4766"
}
],
"source": {
"advisory": "GHSA-vjgf-cp5p-wm45",
"discovery": "UNKNOWN"
},
"title": "mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39258",
"STATE": "PUBLIC",
"TITLE": "mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mailcow-dockerized",
"version": {
"version_data": [
{
"version_value": "\u003c 2022-09"
}
]
}
}
]
},
"vendor_name": "mailcow"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-451: User Interface (UI) Misrepresentation of Critical Information"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45",
"refsource": "CONFIRM",
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/pull/4766",
"refsource": "MISC",
"url": "https://github.com/mailcow/mailcow-dockerized/pull/4766"
}
]
},
"source": {
"advisory": "GHSA-vjgf-cp5p-wm45",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39258",
"datePublished": "2022-09-27T15:10:10.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:20:10.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Strategy: Input Validation
Description:
- Perform data validation (e.g. syntax, length, etc.) before interpreting the data.
Mitigation
Phase: Architecture and Design
Strategy: Output Encoding
Description:
- Create a strategy for presenting information, and plan for how to display unusual characters.
CAPEC-154: Resource Location Spoofing
An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.
CAPEC-163: Spear Phishing
An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.
CAPEC-164: Mobile Phishing
An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.
CAPEC-173: Action Spoofing
An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.
CAPEC-98: Phishing
Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.