Total
280 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-3799 | 1 Getgrav | 1 Grav-plugin-admin | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames | |||||
| CVE-2021-3734 | 1 Yourls | 1 Yourls | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames | |||||
| CVE-2021-3731 | 2 Debian, Ledgersmb | 2 Debian Linux, Ledgersmb | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions. | |||||
| CVE-2021-3660 | 2 Cockpit-project, Redhat | 2 Cockpit, Enterprise Linux | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks. | |||||
| CVE-2021-39796 | 1 Google | 1 Android | 2024-11-21 | 6.9 MEDIUM | 7.3 HIGH |
| In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there is a possible way to trick victim to install harmful app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-205595291 | |||||
| CVE-2021-39702 | 1 Google | 1 Android | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| In onCreate of RequestManageCredentials.java, there is a possible way for a third party app to install certificates without user approval due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-205150380 | |||||
| CVE-2021-39692 | 1 Google | 1 Android | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
| In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539 | |||||
| CVE-2021-39691 | 1 Google | 1 Android | 2024-11-21 | 6.9 MEDIUM | 7.3 HIGH |
| In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-157929241 | |||||
| CVE-2021-39669 | 1 Google | 1 Android | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
| In onCreate of InstallCaCertificateWarning.java, there is a possible way to mislead an user about CA installation circumstances due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-196969991 | |||||
| CVE-2021-39054 | 2 Ibm, Linux | 2 Spectrum Copy Data Management, Linux Kernel | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 214525. | |||||
| CVE-2021-39038 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968. | |||||
| CVE-2021-38509 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | |||||
| CVE-2021-38508 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | |||||
| CVE-2021-38506 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Through a series of navigations, Firefox could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | |||||
| CVE-2021-38472 | 1 Inhandnetworks | 2 Ir615, Ir615 Firmware | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
| InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router’s management portal and could lure the administrator to perform changes. | |||||
| CVE-2021-37971 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
| CVE-2021-37788 | 1 Gurock | 1 Testrail | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. | |||||
| CVE-2021-35300 | 1 Zammad | 1 Zammad | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page. | |||||
| CVE-2021-35237 | 1 Solarwinds | 1 Kiwi Syslog Server | 2024-11-21 | 4.3 MEDIUM | 5.0 MEDIUM |
| A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server. | |||||
| CVE-2021-34087 | 1 Ultimaker | 6 Ultimaker 3, Ultimaker 3 Firmware, Ultimaker S3 and 3 more | 2024-11-21 | 6.8 MEDIUM | 7.1 HIGH |
| In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver can be used for clickjacking. This includes the settings page. | |||||