Vulnerabilities (CVE)

Filtered by CWE-1021
Total 279 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-0654 1 Cloudflare 1 Warp 2024-02-28 N/A 3.7 LOW
Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim's device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker's app.
CVE-2023-41897 1 Home-assistant 1 Home-assistant 2024-02-28 N/A 9.6 CRITICAL
Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-37455 1 Mozilla 1 Firefox 2024-02-28 N/A 5.4 MEDIUM
The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. This vulnerability affects Firefox for iOS < 115.
CVE-2023-5103 1 Sick 2 Apu0200, Apu0200 Firmware 2024-02-28 N/A 4.3 MEDIUM
Improper Restriction of Rendered UI Layers or Frames in RDT400 in SICK APU allows an unprivileged remote attacker to potentially reveal sensitive information via tricking a user into clicking on an actionable item using an iframe.
CVE-2023-4229 1 Moxa 2 Iologik E4200, Iologik E4200 Firmware 2024-02-28 N/A 4.7 MEDIUM
A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, potentially exposing users to security risks. This vulnerability may allow attackers to trick users into interacting with malicious content, leading to unintended actions or unauthorized data disclosures.
CVE-2022-20443 1 Google 1 Android 2024-02-28 N/A 7.8 HIGH
In hasInputInfo of Layer.cpp, there is a possible bypass of user interaction requirements due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-194480991
CVE-2022-43378 1 Schneider-electric 10 Netbotz 355, Netbotz 355 Firmware, Netbotz 450 and 7 more 2024-02-28 N/A 6.5 MEDIUM
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior)
CVE-2023-23343 1 Hcltech 1 Bigfix Osd Bare Metal Server 2024-02-28 N/A 6.1 MEDIUM
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain.
CVE-2023-3140 1 Knime 1 Business Hub 2024-02-28 N/A 4.3 MEDIUM
Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server.
CVE-2022-45096 1 Dell 1 Emc Powerscale Onefs 2024-02-28 N/A 6.5 MEDIUM
Dell PowerScale OneFS, 8.2.0 through 9.3.0, contain an User Interface Security Issue. An unauthenticated remote user could unintentionally lead an administrator to enable this vulnerability, leading to disclosure of information.
CVE-2022-28286 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-02-28 N/A 5.4 MEDIUM
Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8.
CVE-2022-40268 1 Mitsubishielectric 5 Gt25, Gt25 Firmware, Gt27 and 2 more 2024-02-28 N/A 4.7 MEDIUM
Improper Restriction of Rendered UI Layers or Frames vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.14.000 to 01.47.000, Mitsubishi Electric Corporation GOT2000 Series GT25 model versions 01.14.000 to 01.47.000 and Mitsubishi Electric Corporation GT SoftGOT2000 versions 1.265B to 1.285X allows a remote unauthenticated attacker to lead legitimate users to perform unintended operations through clickjacking.
CVE-2022-29911 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-02-28 N/A 6.1 MEDIUM
An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.
CVE-2022-20442 1 Google 1 Android 2024-02-28 N/A 7.3 HIGH
In onCreate of ReviewPermissionsActivity.java, there is a possible way to grant permissions for a separate app with API level < 23 due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-176094367
CVE-2023-1362 1 Bumsys Project 1 Bumsys 2024-02-28 N/A 6.1 MEDIUM
Improper Restriction of Rendered UI Layers or Frames in GitHub repository unilogies/bumsys prior to v2.0.2.
CVE-2022-46061 1 Aerocms Project 1 Aerocms 2024-02-28 N/A 6.1 MEDIUM
AeroCMS v0.0.1 is vulnerable to ClickJacking.
CVE-2022-34318 1 Ibm 1 Cics Tx 2024-02-28 N/A 6.1 MEDIUM
IBM CICS TX 11.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 229461.
CVE-2022-20553 1 Google 1 Android 2024-02-28 N/A 6.5 MEDIUM
In onCreate of LogAccessDialogActivity.java, there is a possible way to bypass a permission check due to a tapjacking/overlay attack. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-244155265
CVE-2022-20501 1 Google 1 Android 2024-02-28 N/A 7.3 HIGH
In onCreate of EnableAccountPreferenceActivity.java, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-246933359
CVE-2022-45417 1 Mozilla 1 Firefox 2024-02-28 N/A 4.3 MEDIUM
Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk. This vulnerability affects Firefox < 107.