CWE-360: Trust of System Event Data
Security based on event locations are insecure and can be spoofed.
Last updated
Overview
Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.
Real-world CVEs
2 recorded CVEs are caused by CWE-360 (Trust of System Event Data). The highest-severity and most recent are shown first.
Common consequences
What can happen when CWE-360 is exploited.
Gain Privileges or Assume Identity, Execute Unauthorized Code or Commands
Affects: Integrity, Confidentiality, Availability, Access Control
If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.