Common Weakness Enumeration

CWE-449

Allowed

The UI Performs the Wrong Action

Abstraction: Base · Status: Incomplete

The UI performs the wrong action with respect to the user's request.

26 vulnerabilities reference this CWE, most recent first.

CVE-2023-39209 (GCVE-0-2023-39209)

Vulnerability from cvelistv5 – Published: 2023-08-08 21:39 – Updated: 2024-10-04 17:31
VLAI
Summary
Improper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network access.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-449 - The UI Performs the Wrong Action
Assigner
Impacted products
Date Public
2023-08-08 15:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:02:06.838Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://explore.zoom.us/en/trust/security/security-bulletin/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-39209",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-04T17:29:30.375597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-04T17:31:35.321Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Zoom Desktop Client for Windows",
          "vendor": "Zoom Video Communications, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "before 5.15.5"
            }
          ]
        }
      ],
      "datePublic": "2023-08-08T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network access."
            }
          ],
          "value": "Improper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-449",
              "description": "CWE-449: The UI Performs the Wrong Action",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-27T19:03:35.453Z",
        "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
        "shortName": "Zoom"
      },
      "references": [
        {
          "url": "https://explore.zoom.us/en/trust/security/security-bulletin/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
    "assignerShortName": "Zoom",
    "cveId": "CVE-2023-39209",
    "datePublished": "2023-08-08T21:39:52.327Z",
    "dateReserved": "2023-07-25T18:38:00.937Z",
    "dateUpdated": "2024-10-04T17:31:35.321Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-36535 (GCVE-0-2023-36535)

Vulnerability from cvelistv5 – Published: 2023-08-08 17:39 – Updated: 2024-10-08 15:03
VLAI
Summary
Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow an authenticated user to enable information disclosure via network access.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-449 - The UI Performs the Wrong Action
Assigner
Impacted products
Date Public
2023-08-08 15:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:52:52.352Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://explore.zoom.us/en/trust/security/security-bulletin/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-36535",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-08T15:00:22.199594Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-08T15:03:49.453Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Zoom Clients",
          "vendor": "Zoom Video Communications, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "before 5.14.10"
            }
          ]
        }
      ],
      "datePublic": "2023-08-08T15:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow an authenticated user to enable information disclosure via network access."
            }
          ],
          "value": "Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow an authenticated user to enable information disclosure via network access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-449",
              "description": "CWE-449: The UI Performs the Wrong Action",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-27T18:47:30.828Z",
        "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
        "shortName": "Zoom"
      },
      "references": [
        {
          "url": "https://explore.zoom.us/en/trust/security/security-bulletin/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351",
    "assignerShortName": "Zoom",
    "cveId": "CVE-2023-36535",
    "datePublished": "2023-08-08T17:39:51.259Z",
    "dateReserved": "2023-06-22T18:04:31.168Z",
    "dateUpdated": "2024-10-08T15:03:49.453Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2C6F-5H2F-XJ25

Vulnerability from github – Published: 2025-12-02 21:31 – Updated: 2025-12-03 00:30
VLAI
Details

Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass download protections via a crafted HTML page. (Chromium security severity: Low)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-02T19:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass download protections via a crafted HTML page. (Chromium security severity: Low)",
  "id": "GHSA-2c6f-5h2f-xj25",
  "modified": "2025-12-03T00:30:28Z",
  "published": "2025-12-02T21:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13637"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/392375329"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-445X-HW57-F2Q2

Vulnerability from github – Published: 2023-08-09 00:31 – Updated: 2024-04-04 06:43
VLAI
Details

Improper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-08T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "\nImproper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network access.\n\n",
  "id": "GHSA-445x-hw57-f2q2",
  "modified": "2024-04-04T06:43:07Z",
  "published": "2023-08-09T00:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39209"
    },
    {
      "type": "WEB",
      "url": "https://explore.zoom.us/en/trust/security/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-897P-22V6-2J5G

Vulnerability from github – Published: 2024-02-14 00:35 – Updated: 2024-02-14 00:35
VLAI
Details

Improper authentication in some Zoom clients may allow a privileged user to conduct a disclosure of information via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-24698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-14T00:15:47Z",
    "severity": "MODERATE"
  },
  "details": "Improper authentication in some Zoom clients may allow a privileged user to conduct a disclosure of information via local access.\n",
  "id": "GHSA-897p-22v6-2j5g",
  "modified": "2024-02-14T00:35:43Z",
  "published": "2024-02-14T00:35:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24698"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/ZSB-24005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-99VH-CG75-PMJ9

Vulnerability from github – Published: 2025-03-07 21:31 – Updated: 2025-03-07 21:31
VLAI
Details

No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-07T19:15:37Z",
    "severity": "MODERATE"
  },
  "details": "No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.",
  "id": "GHSA-99vh-cg75-pmj9",
  "modified": "2025-03-07T21:31:10Z",
  "published": "2025-03-07T21:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26643"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26643"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CQ92-FPFC-PH75

Vulnerability from github – Published: 2025-08-12 18:31 – Updated: 2025-08-12 18:31
VLAI
Details

The ui performs the wrong action in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T18:15:30Z",
    "severity": "MODERATE"
  },
  "details": "The ui performs the wrong action in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.",
  "id": "GHSA-cq92-fpfc-ph75",
  "modified": "2025-08-12T18:31:30Z",
  "published": "2025-08-12T18:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49736"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49736"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4WC-3QJ8-GQ9P

Vulnerability from github – Published: 2023-09-12 21:30 – Updated: 2024-04-04 07:38
VLAI
Details

Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.",
  "id": "GHSA-f4wc-3qj8-gq9p",
  "modified": "2024-04-04T07:38:32Z",
  "published": "2023-09-12T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39215"
    },
    {
      "type": "WEB",
      "url": "https://explore.zoom.us/en/trust/security/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FRH8-6QGG-HM8V

Vulnerability from github – Published: 2023-12-14 00:30 – Updated: 2024-09-27 21:31
VLAI
Details

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43585"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-13T23:15:07Z",
    "severity": "HIGH"
  },
  "details": "Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.",
  "id": "GHSA-frh8-6qgg-hm8v",
  "modified": "2024-09-27T21:31:45Z",
  "published": "2023-12-14T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43585"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/ZSB-23058"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G6RC-7QWP-R256

Vulnerability from github – Published: 2025-02-07 03:32 – Updated: 2025-02-07 03:32
VLAI
Details

Microsoft Edge (Chromium-based) Spoofing Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-449",
      "CWE-451"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-06T23:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Microsoft Edge (Chromium-based) Spoofing Vulnerability",
  "id": "GHSA-g6rc-7qwp-r256",
  "modified": "2025-02-07T03:32:03Z",
  "published": "2025-02-07T03:32:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21404"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21404"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.