Total
279 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-2734 | 1 Open-emr | 1 Openemr | 2024-02-28 | N/A | 5.4 MEDIUM |
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1. | |||||
CVE-2022-1138 | 1 Google | 1 Chrome | 2024-02-28 | N/A | 6.5 MEDIUM |
Inappropriate implementation in Web Cursor in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who had compromised the renderer process to obscure the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
CVE-2022-2179 | 1 Rockwellautomation | 4 Micrologix 1100, Micrologix 1100 Firmware, Micrologix 1400 and 1 more | 2024-02-28 | N/A | 6.5 MEDIUM |
The X-Frame-Options header in Rockwell Automation MicroLogix 1100/1400 Versions 21.007 and prior is not configured in the HTTP response, which could allow clickjacking attacks. | |||||
CVE-2022-20852 | 1 Cisco | 1 Webex Meetings | 2024-02-28 | N/A | 6.5 MEDIUM |
Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow a remote attacker to conduct a cross-site scripting (XSS) attack or a frame hijacking attack against a user of the web interface. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
CVE-2022-33723 | 1 Google | 1 Android | 2024-02-28 | N/A | 6.1 MEDIUM |
A vulnerable code in onCreate of BluetoothScanDialog prior to SMR Aug-2022 Release 1, allows attackers to trick the user to select an unwanted bluetooth device via tapjacking/overlay attack. | |||||
CVE-2022-2800 | 1 Gym Management System Project | 1 Gym Management System | 2024-02-28 | N/A | 6.1 MEDIUM |
A vulnerability, which was classified as problematic, has been found in SourceCodester Gym Management System. Affected by this issue is some unknown functionality. The manipulation leads to clickjacking. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-206246 is the identifier assigned to this vulnerability. | |||||
CVE-2022-33727 | 1 Google | 1 Android | 2024-02-28 | N/A | 6.1 MEDIUM |
A vulnerable code in onCreate of SecDevicePickerDialog prior to SMR Aug-2022 Release 1, allows attackers to trick the user to select an unwanted bluetooth device via tapjacking/overlay attack. | |||||
CVE-2022-36182 | 1 Hashicorp | 1 Boundary | 2024-02-28 | N/A | 6.1 MEDIUM |
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | |||||
CVE-2022-20331 | 1 Google | 1 Android | 2024-02-28 | N/A | 7.8 HIGH |
In the Framework, there is a possible way to enable a work profile without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-181785557 | |||||
CVE-2022-2965 | 1 Notrinos | 1 Notrinoserp | 2024-02-28 | N/A | 4.3 MEDIUM |
Improper Restriction of Rendered UI Layers or Frames in GitHub repository notrinos/notrinoserp prior to 0.7. | |||||
CVE-2022-3167 | 1 Ikus-soft | 1 Rdiffweb | 2024-02-28 | N/A | 8.8 HIGH |
Improper Restriction of Rendered UI Layers or Frames in GitHub repository ikus060/rdiffweb prior to 2.4.1. | |||||
CVE-2021-39038 | 1 Ibm | 1 Websphere Application Server | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968. | |||||
CVE-2021-44683 | 1 Duckduckgo | 1 Duckduckgo | 2024-02-28 | 5.8 MEDIUM | 8.2 HIGH |
The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site. | |||||
CVE-2021-27773 | 1 Hcltech | 1 Sametime | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
This vulnerability allows users to execute a clickjacking attack in the meeting's chat. | |||||
CVE-2021-3660 | 2 Cockpit-project, Redhat | 2 Cockpit, Enterprise Linux | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks. | |||||
CVE-2022-0455 | 1 Google | 2 Android, Chrome | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 98.0.4758.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
CVE-2022-22807 | 1 Schneider-electric | 14 Hmibscea53d1edb, Hmibscea53d1edb Firmware, Hmibscea53d1edl and 11 more | 2024-02-28 | 4.3 MEDIUM | 7.4 HIGH |
A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13) | |||||
CVE-2017-20041 | 1 Ucweb | 1 Uc Browser | 2024-02-28 | 4.3 MEDIUM | 6.5 MEDIUM |
A vulnerability was found in Ucweb UC Browser 11.2.5.932. It has been classified as critical. Affected is an unknown function of the component HTML Handler. The manipulation of the argument title leads to improper restriction of rendered ui layers (URL). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2021-39702 | 1 Google | 1 Android | 2024-02-28 | 9.3 HIGH | 7.8 HIGH |
In onCreate of RequestManageCredentials.java, there is a possible way for a third party app to install certificates without user approval due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-205150380 | |||||
CVE-2022-27220 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 6220. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors. |