Total
279 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-7013 | 1 Google | 1 Chrome | 2024-11-05 | N/A | 4.7 MEDIUM |
Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
CVE-2024-10454 | 2024-11-01 | N/A | 6.1 MEDIUM | ||
Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims. | |||||
CVE-2024-8388 | 2 Google, Mozilla | 2 Android, Firefox | 2024-10-30 | N/A | 5.3 MEDIUM |
Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. This could lead to spoofing the browser UI if the sudden appearance of the prompt distracted the user from noticing the visual transition happening behind the prompt. These notifications now use the Android Toast feature. *This bug only affects Firefox on Android. Other operating systems are unaffected.* This vulnerability affects Firefox < 130. | |||||
CVE-2024-7518 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-10-29 | N/A | 6.5 MEDIUM |
Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1. | |||||
CVE-2023-45698 | 1 Hcltech | 1 Sametime Chat And Meetings | 2024-10-28 | N/A | 6.1 MEDIUM |
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks. | |||||
CVE-2024-10004 | 2024-10-16 | N/A | 9.1 CRITICAL | ||
Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This vulnerability affects Firefox for iOS < 131.2. | |||||
CVE-2024-9397 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2024-10-11 | N/A | 6.1 MEDIUM |
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. | |||||
CVE-2024-2383 | 1 Zenml | 1 Zenml | 2024-10-11 | N/A | 6.1 MEDIUM |
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3. | |||||
CVE-2021-35237 | 1 Solarwinds | 1 Kiwi Syslog Server | 2024-09-16 | 4.3 MEDIUM | 4.3 MEDIUM |
A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server. | |||||
CVE-2024-39320 | 1 Discourse | 1 Discourse | 2024-09-11 | N/A | 6.1 MEDIUM |
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5. | |||||
CVE-2024-33377 | 2024-09-06 | N/A | 8.1 HIGH | ||
LB-LINK BL-W1210M v2.0 was discovered to contain a clickjacking vulnerability via the Administrator login page. Attackers can cause victim users to perform arbitrary operations via interaction with crafted elements on the web page. | |||||
CVE-2024-5698 | 1 Mozilla | 1 Firefox | 2024-08-23 | N/A | 6.1 MEDIUM |
By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 127. | |||||
CVE-2024-40817 | 1 Apple | 2 Macos, Safari | 2024-08-15 | N/A | 6.1 MEDIUM |
The issue was addressed with improved UI handling. This issue is fixed in macOS Sonoma 14.6, Safari 17.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing. | |||||
CVE-2023-42011 | 1 Ibm | 1 Sterling B2b Integrator | 2024-08-06 | N/A | 5.4 MEDIUM |
IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508. | |||||
CVE-2022-36736 | 1 Jitsi | 1 Jitsi | 2024-08-03 | N/A | 6.1 MEDIUM |
Jitsi-2.10.5550 was discovered to contain a vulnerability in its web UI which allows attackers to perform a clickjacking attack via a crafted HTTP request. NOTE: this is disputed by the vendor | |||||
CVE-2024-2613 | 2024-08-02 | N/A | 7.5 HIGH | ||
Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. This vulnerability affects Firefox < 124. | |||||
CVE-2023-23126 | 1 Connectwise | 1 Automate | 2024-08-02 | N/A | 6.1 MEDIUM |
Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack. | |||||
CVE-2024-1890 | 2024-08-01 | N/A | 6.4 MEDIUM | ||
Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier. | |||||
CVE-2024-2177 | 2024-07-09 | N/A | 6.8 MEDIUM | ||
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. | |||||
CVE-2024-3911 | 2024-07-03 | N/A | 6.5 MEDIUM | ||
An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. |