Vulnerabilities (CVE)

Filtered by CWE-1021
Total 280 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-1241 6 Canonical, Debian, Google and 3 more 11 Ubuntu Linux, Debian Linux, Chrome and 8 more 2024-11-21 4.3 MEDIUM N/A
Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack.
CVE-2014-1483 5 Canonical, Mozilla, Opensuse and 2 more 8 Ubuntu Linux, Firefox, Seamonkey and 5 more 2024-11-21 5.0 MEDIUM N/A
Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions.
CVE-2014-1480 5 Canonical, Mozilla, Opensuse and 2 more 8 Ubuntu Linux, Firefox, Seamonkey and 5 more 2024-11-21 4.3 MEDIUM N/A
The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site.
CVE-2013-5614 7 Canonical, Fedoraproject, Mozilla and 4 more 16 Ubuntu Linux, Fedora, Firefox and 13 more 2024-11-21 4.3 MEDIUM N/A
Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restrictions via a crafted web site.
CVE-2011-1244 1 Microsoft 6 Internet Explorer, Windows 7, Windows Server 2003 and 3 more 2024-11-21 5.8 MEDIUM N/A
Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag Information Disclosure Vulnerability."
CVE-2008-2716 1 Opera 1 Opera Browser 2024-11-21 5.0 MEDIUM N/A
Unspecified vulnerability in Opera before 9.5 allows remote attackers to spoof the contents of trusted frames on the same parent page by modifying the location, which can facilitate phishing attacks.
CVE-2005-2407 1 Opera 1 Opera Browser 2024-11-20 5.1 MEDIUM N/A
A design error in Opera 8.01 and earlier allows user-assisted attackers to execute arbitrary code by overlaying a malicious new window above a file download dialog box, then tricking the user into double-clicking on the "Run" button, aka "link hijacking".
CVE-2024-7404 2024-11-15 N/A 6.8 MEDIUM
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
CVE-2023-7013 1 Google 1 Chrome 2024-11-05 N/A 4.7 MEDIUM
Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium)
CVE-2024-10454 2024-11-01 N/A 6.1 MEDIUM
Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims.
CVE-2024-8388 2 Google, Mozilla 2 Android, Firefox 2024-10-30 N/A 5.3 MEDIUM
Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. This could lead to spoofing the browser UI if the sudden appearance of the prompt distracted the user from noticing the visual transition happening behind the prompt. These notifications now use the Android Toast feature. *This bug only affects Firefox on Android. Other operating systems are unaffected.* This vulnerability affects Firefox < 130.
CVE-2024-7518 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-10-29 N/A 6.5 MEDIUM
Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.
CVE-2023-45698 1 Hcltech 1 Sametime Chat And Meetings 2024-10-28 N/A 6.1 MEDIUM
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.
CVE-2024-10004 2024-10-16 N/A 9.1 CRITICAL
Opening an external link to an HTTP website when Firefox iOS was previously closed and had an HTTPS tab open could in some cases result in the padlock icon showing an HTTPS indicator incorrectly This vulnerability affects Firefox for iOS < 131.2.
CVE-2024-9397 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-10-11 N/A 6.1 MEDIUM
A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131.
CVE-2024-2383 1 Zenml 1 Zenml 2024-10-11 N/A 6.1 MEDIUM
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.
CVE-2021-35237 1 Solarwinds 1 Kiwi Syslog Server 2024-09-16 4.3 MEDIUM 4.3 MEDIUM
A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.
CVE-2024-39320 1 Discourse 1 Discourse 2024-09-11 N/A 6.1 MEDIUM
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
CVE-2024-33377 2024-09-06 N/A 8.1 HIGH
LB-LINK BL-W1210M v2.0 was discovered to contain a clickjacking vulnerability via the Administrator login page. Attackers can cause victim users to perform arbitrary operations via interaction with crafted elements on the web page.
CVE-2024-5698 1 Mozilla 1 Firefox 2024-08-23 N/A 6.1 MEDIUM
By manipulating the fullscreen feature while opening a data-list, an attacker could have overlaid a text box over the address bar. This could have led to user confusion and possible spoofing attacks. This vulnerability affects Firefox < 127.