Category: User Interface Security Issues
Draft
Summary
Weaknesses in this category are related to or introduced in the User Interface (UI).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User | The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action. |
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
| CWE-356 | Product UI does not Warn User of Unsafe Actions | The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. |
| CWE-447 | Unimplemented or Unsupported Feature in UI | A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented. |
| CWE-448 | Obsolete Feature in UI | A UI function is obsolete and the product does not warn the user. |
| CWE-449 | The UI Performs the Wrong Action | The UI performs the wrong action with respect to the user's request. |
| CWE-549 | Missing Password Field Masking | The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. |
| CWE-699 | Software Development | This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.