Vulnerabilities (CVE)

Filtered by CWE-1021
Total 280 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-3799 1 Getgrav 1 Grav-plugin-admin 2024-11-21 5.8 MEDIUM 5.4 MEDIUM
grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames
CVE-2021-3734 1 Yourls 1 Yourls 2024-11-21 6.8 MEDIUM 8.8 HIGH
yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames
CVE-2021-3731 2 Debian, Ledgersmb 2 Debian Linux, Ledgersmb 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions.
CVE-2021-3660 2 Cockpit-project, Redhat 2 Cockpit, Enterprise Linux 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
CVE-2021-39796 1 Google 1 Android 2024-11-21 6.9 MEDIUM 7.3 HIGH
In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there is a possible way to trick victim to install harmful app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-205595291
CVE-2021-39702 1 Google 1 Android 2024-11-21 9.3 HIGH 7.8 HIGH
In onCreate of RequestManageCredentials.java, there is a possible way for a third party app to install certificates without user approval due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-205150380
CVE-2021-39692 1 Google 1 Android 2024-11-21 9.3 HIGH 7.8 HIGH
In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539
CVE-2021-39691 1 Google 1 Android 2024-11-21 6.9 MEDIUM 7.3 HIGH
In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-157929241
CVE-2021-39669 1 Google 1 Android 2024-11-21 4.4 MEDIUM 7.8 HIGH
In onCreate of InstallCaCertificateWarning.java, there is a possible way to mislead an user about CA installation circumstances due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-196969991
CVE-2021-39054 2 Ibm, Linux 2 Spectrum Copy Data Management, Linux Kernel 2024-11-21 3.5 LOW 5.4 MEDIUM
IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 214525.
CVE-2021-39038 1 Ibm 1 Websphere Application Server 2024-11-21 3.5 LOW 5.4 MEDIUM
IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968.
CVE-2021-38509 2 Debian, Mozilla 4 Debian Linux, Firefox, Firefox Esr and 1 more 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
CVE-2021-38508 2 Debian, Mozilla 4 Debian Linux, Firefox, Firefox Esr and 1 more 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
CVE-2021-38506 2 Debian, Mozilla 4 Debian Linux, Firefox, Firefox Esr and 1 more 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
CVE-2021-38472 1 Inhandnetworks 2 Ir615, Ir615 Firmware 2024-11-21 4.3 MEDIUM 4.7 MEDIUM
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router’s management portal and could lure the administrator to perform changes.
CVE-2021-37971 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2021-37788 1 Gurock 1 Testrail 2024-11-21 4.3 MEDIUM 5.4 MEDIUM
A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link.
CVE-2021-35300 1 Zammad 1 Zammad 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page.
CVE-2021-35237 1 Solarwinds 1 Kiwi Syslog Server 2024-11-21 4.3 MEDIUM 5.0 MEDIUM
A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.
CVE-2021-34087 1 Ultimaker 6 Ultimaker 3, Ultimaker 3 Firmware, Ultimaker S3 and 3 more 2024-11-21 6.8 MEDIUM 7.1 HIGH
In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver can be used for clickjacking. This includes the settings page.