CWE-360 (Trust of System Event Data) is a common software weakness type identified by MITRE's CWE dictionary.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (root cause), while CVE refers to a specific instance of a vulnerability in a product.

Back to CWE Database

CWE-360

Trust of System Event Data

High Exploit Likelihood

Weakness Description

Security based on event locations are insecure and can be spoofed.

Events are a messaging system which may provide control data to programs listening for events. Events often do not have any type of authentication framework to allow them to be verified from a trusted source. Any application, in Windows, on a given desktop can send a message to any window on the same desktop. There is no authentication framework for these messages. Therefore, any message can be used to manipulate any process on the desktop if the process does not check the validity and safeness of those messages.

Potential Mitigations

Architecture and Design

Never trust or rely any of the information in an Event for security.

Common Consequences

IntegrityConfidentialityAvailabilityAccess Control

Gain Privileges or Assume IdentityExecute Unauthorized Code or Commands

If one trusts the system-event information and executes commands based on it, one could potentially take actions based on a spoofed identity.

Related Weaknesses

CWE-345

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Get in touch for collaboration

Homepage

Explore more security resources