CWE-357
AllowedInsufficient UI Warning of Dangerous Operations
Abstraction: Base · Status: Draft
The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.
38 vulnerabilities reference this CWE, most recent first.
GHSA-J4WQ-QX9V-XVQJ
Vulnerability from github – Published: 2024-01-26 18:30 – Updated: 2024-01-26 18:30Microsoft Edge (Chromium-based) Spoofing Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21336"
],
"database_specific": {
"cwe_ids": [
"CWE-357"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-26T18:15:12Z",
"severity": "LOW"
},
"details": "Microsoft Edge (Chromium-based) Spoofing Vulnerability",
"id": "GHSA-j4wq-qx9v-xvqj",
"modified": "2024-01-26T18:30:35Z",
"published": "2024-01-26T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21336"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21336"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J67R-3CM4-272W
Vulnerability from github – Published: 2024-06-13 21:30 – Updated: 2024-06-13 21:30Microsoft Edge (Chromium-based) Spoofing Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30058"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-357"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T20:15:12Z",
"severity": "MODERATE"
},
"details": "Microsoft Edge (Chromium-based) Spoofing Vulnerability",
"id": "GHSA-j67r-3cm4-272w",
"modified": "2024-06-13T21:30:53Z",
"published": "2024-06-13T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30058"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30058"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J7P2-87Q3-44W7
Vulnerability from github – Published: 2025-06-13 20:45 – Updated: 2025-06-13 20:45Impact
When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful.
Patches
This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.
Workarounds
We're not aware of any real workarounds apart from just being careful with editing documents previously edited by untrusted users as a user with script, admin or programming right.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-notifiers-default"
},
"ranges": [
{
"events": [
{
"introduced": "15.9-rc-1"
},
{
"fixed": "15.10.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-notifiers-default"
},
"ranges": [
{
"events": [
{
"introduced": "16.0.0-rc-1"
},
{
"fixed": "16.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-notifications-notifiers-default"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49587"
],
"database_specific": {
"cwe_ids": [
"CWE-357"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-13T20:45:44Z",
"nvd_published_at": "2025-06-13T18:15:22Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhen a user without script right creates a document with an `XWiki.Notifications.Code.NotificationDisplayerClass` object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful.\n\n### Patches\nThis vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.\n\n### Workarounds\nWe\u0027re not aware of any real workarounds apart from just being careful with editing documents previously edited by untrusted users as a user with script, admin or programming right.",
"id": "GHSA-j7p2-87q3-44w7",
"modified": "2025-06-13T20:45:44Z",
"published": "2025-06-13T20:45:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49587"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-22470"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "XWiki does not require right warnings for notification displayer objects"
}
GHSA-M777-GH73-QG52
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-08 18:33Microsoft Office Visio Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43505"
],
"database_specific": {
"cwe_ids": [
"CWE-357"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T18:15:12Z",
"severity": "HIGH"
},
"details": "Microsoft Office Visio Remote Code Execution Vulnerability",
"id": "GHSA-m777-gh73-qg52",
"modified": "2024-10-08T18:33:15Z",
"published": "2024-10-08T18:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43505"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43505"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RR25-RMV3-92RM
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-12-17 18:33A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities.
{
"affected": [],
"aliases": [
"CVE-2019-13521"
],
"database_specific": {
"cwe_ids": [
"CWE-357"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-27T23:15:00Z",
"severity": "MODERATE"
},
"details": "A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities.",
"id": "GHSA-rr25-rmv3-92rm",
"modified": "2024-12-17T18:33:40Z",
"published": "2022-05-24T17:07:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13521"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-213-05"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-799"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VP57-5MPG-G6CQ
Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31Insufficient UI warning of dangerous operations in Remote Desktop Client allows an unauthorized attacker to perform spoofing over a network.
{
"affected": [],
"aliases": [
"CVE-2025-33054"
],
"database_specific": {
"cwe_ids": [
"CWE-357"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T17:15:34Z",
"severity": "HIGH"
},
"details": "Insufficient UI warning of dangerous operations in Remote Desktop Client allows an unauthorized attacker to perform spoofing over a network.",
"id": "GHSA-vp57-5mpg-g6cq",
"modified": "2025-07-08T18:31:44Z",
"published": "2025-07-08T18:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33054"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33054"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W837-7F8R-VF6M
Vulnerability from github – Published: 2025-09-16 21:31 – Updated: 2025-09-16 21:31Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.
{
"affected": [],
"aliases": [
"CVE-2025-47967"
],
"database_specific": {
"cwe_ids": [
"CWE-357"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-16T19:15:35Z",
"severity": "MODERATE"
},
"details": "Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.",
"id": "GHSA-w837-7f8r-vf6m",
"modified": "2025-09-16T21:31:18Z",
"published": "2025-09-16T21:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47967"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47967"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WGW8-32PR-G2Q8
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-05-26 21:31Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.
{
"affected": [],
"aliases": [
"CVE-2026-26151"
],
"database_specific": {
"cwe_ids": [
"CWE-357"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:16:45Z",
"severity": "HIGH"
},
"details": "Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.",
"id": "GHSA-wgw8-32pr-g2q8",
"modified": "2026-05-26T21:31:36Z",
"published": "2026-04-14T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26151"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-26151-detection-script-spoofing-vulnerability-affecting-windows-remote-desktop"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-26151-mitigation-script-spoofing-vulnerability-affecting-windows-remote-desktop"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.