Category: User Interface Security Issues
Draft
Summary
Weaknesses in this category are related to or introduced in the User Interface (UI).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User | This vulnerability occurs when an application shows text or symbols to users without clearly distinguishing between characters that look identical or very similar (called homoglyphs). Because users can't easily tell these characters apart, they might misinterpret information and accidentally perform unsafe actions, like clicking a malicious link. |
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | This vulnerability occurs when a web application fails to properly control whether its pages can be embedded within frames or UI layers from other websites, potentially misleading users about which site they are interacting with. |
| CWE-356 | Product UI does not Warn User of Unsafe Actions | This vulnerability occurs when a software interface fails to alert users before they perform a risky action. Without clear warnings, users can be more easily misled into taking steps that harm their system or data. |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | This vulnerability occurs when a software application does present a warning to a user before a risky action, but the warning is designed or placed in a way that makes it too easy to miss, ignore, or accidentally dismiss. |
| CWE-447 | Unimplemented or Unsupported Feature in UI | This vulnerability occurs when a user interface displays a security feature as active and functional, but the underlying code that powers it is either missing or disabled. Users receive visual confirmation that a protection is in place, creating a false sense of security. |
| CWE-448 | Obsolete Feature in UI | This vulnerability occurs when a user interface (UI) includes outdated or deprecated features, but fails to alert users about their obsolete status. This can mislead users into relying on functionality that may be broken, unsupported, or pose a security risk. |
| CWE-449 | The UI Performs the Wrong Action | This vulnerability occurs when a user interface (UI) element or command performs a different, unintended action than what the user requested, potentially leading to security bypass, data corruption, or unexpected system behavior. |
| CWE-549 | Missing Password Field Masking | This vulnerability occurs when an application fails to hide password characters as they are typed, making them visible to anyone who can see the screen. This exposes user credentials to onlookers or screen-capturing malware. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.