Vulnerabilities (CVE)

Filtered by CWE-1021
Total 279 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-7013 1 Google 1 Chrome 2024-11-05 N/A 4.7 MEDIUM
Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium)
CVE-2024-10454 2024-11-01 N/A 6.1 MEDIUM
Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims.
CVE-2024-8388 2 Google, Mozilla 2 Android, Firefox 2024-10-30 N/A 5.3 MEDIUM
Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. This could lead to spoofing the browser UI if the sudden appearance of the prompt distracted the user from noticing the visual transition happening behind the prompt. These notifications now use the Android Toast feature. *This bug only affects Firefox on Android. Other operating systems are unaffected.* This vulnerability affects Firefox < 130.
CVE-2024-7518 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-10-29 N/A 6.5 MEDIUM
Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.
CVE-2023-45698 1 Hcltech 1 Sametime Chat And Meetings 2024-10-28 N/A 6.1 MEDIUM
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.
CVE-2024-10004 2024-10-16 N/A 9.1 CRITICAL
Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This vulnerability affects Firefox for iOS < 131.2.
CVE-2024-9397 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-10-11 N/A 6.1 MEDIUM
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
CVE-2024-2383 1 Zenml 1 Zenml 2024-10-11 N/A 6.1 MEDIUM
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.
CVE-2021-35237 1 Solarwinds 1 Kiwi Syslog Server 2024-09-16 4.3 MEDIUM 4.3 MEDIUM
A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.
CVE-2024-39320 1 Discourse 1 Discourse 2024-09-11 N/A 6.1 MEDIUM
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
CVE-2024-33377 2024-09-06 N/A 8.1 HIGH
LB-LINK BL-W1210M v2.0 was discovered to contain a clickjacking vulnerability via the Administrator login page. Attackers can cause victim users to perform arbitrary operations via interaction with crafted elements on the web page.
CVE-2024-5698 1 Mozilla 1 Firefox 2024-08-23 N/A 6.1 MEDIUM
By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 127.
CVE-2024-40817 1 Apple 2 Macos, Safari 2024-08-15 N/A 6.1 MEDIUM
The issue was addressed with improved UI handling. This issue is fixed in macOS Sonoma 14.6, Safari 17.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing.
CVE-2023-42011 1 Ibm 1 Sterling B2b Integrator 2024-08-06 N/A 5.4 MEDIUM
IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508.
CVE-2022-36736 1 Jitsi 1 Jitsi 2024-08-03 N/A 6.1 MEDIUM
Jitsi-2.10.5550 was discovered to contain a vulnerability in its web UI which allows attackers to perform a clickjacking attack via a crafted HTTP request. NOTE: this is disputed by the vendor
CVE-2024-2613 2024-08-02 N/A 7.5 HIGH
Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. This vulnerability affects Firefox < 124.
CVE-2023-23126 1 Connectwise 1 Automate 2024-08-02 N/A 6.1 MEDIUM
Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack.
CVE-2024-1890 2024-08-01 N/A 6.4 MEDIUM
Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.
CVE-2024-2177 2024-07-09 N/A 6.8 MEDIUM
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.
CVE-2024-3911 2024-07-03 N/A 6.5 MEDIUM
An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames.