Vulnerabilities (CVE)

Filtered by CWE-1021
Total 279 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-29865 3 Ibm, Linux, Microsoft 3 Jazz Team Server, Linux Kernel, Windows 2024-02-28 4.9 MEDIUM 5.4 MEDIUM
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 206091.
CVE-2022-1803 1 Trudesk Project 1 Trudesk 2024-02-28 4.9 MEDIUM 6.9 MEDIUM
Improper Restriction of Rendered UI Layers or Frames in GitHub repository polonel/trudesk prior to 1.2.2.
CVE-2021-39796 1 Google 1 Android 2024-02-28 6.9 MEDIUM 7.3 HIGH
In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there is a possible way to trick victim to install harmful app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-205595291
CVE-2021-39669 1 Google 1 Android 2024-02-28 4.4 MEDIUM 7.8 HIGH
In onCreate of InstallCaCertificateWarning.java, there is a possible way to mislead an user about CA installation circumstances due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-196969991
CVE-2022-28649 1 Jetbrains 1 Youtrack 2024-02-28 3.5 LOW 5.4 MEDIUM
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
CVE-2022-27219 1 Siemens 1 Sinema Remote Connect Server 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 443. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors.
CVE-2021-27414 1 Hitachienergy 1 Ellipse Enterprise Asset Management 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials.
CVE-2022-24733 1 Sylius 1 Sylius 2024-02-28 5.8 MEDIUM 6.1 MEDIUM
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.
CVE-2021-46708 1 Smartbear 1 Swagger-ui-dist 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.
CVE-2021-41657 1 Smartbear 1 Collaborator 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
SmartBear CodeCollaborator v6.1.6102 was discovered to contain a vulnerability in the web UI which would allow an attacker to conduct a clickjacking attack.
CVE-2021-39692 1 Google 1 Android 2024-02-28 9.3 HIGH 7.8 HIGH
In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539
CVE-2022-0110 2 Fedoraproject, Google 2 Fedora, Chrome 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
Incorrect security UI in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2021-39691 1 Google 1 Android 2024-02-28 6.9 MEDIUM 7.3 HIGH
In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-157929241
CVE-2021-3799 1 Getgrav 1 Grav-plugin-admin 2024-02-28 5.8 MEDIUM 5.4 MEDIUM
grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames
CVE-2021-1036 1 Google 1 Android 2024-02-28 6.8 MEDIUM 7.8 HIGH
In LocationSettingsActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-182812255
CVE-2021-1038 1 Google 1 Android 2024-02-28 4.7 MEDIUM 5.5 MEDIUM
In UserDetailsActivity of AndroidManifest.xml, there is a possible DoS due to a tapjacking/overlay attack. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-183411279
CVE-2021-34087 1 Ultimaker 6 Ultimaker 3, Ultimaker 3 Firmware, Ultimaker S3 and 3 more 2024-02-28 6.8 MEDIUM 7.1 HIGH
In Ultimaker S3 3D printer, Ultimaker S5 3D printer, Ultimaker 3 3D printer S-line through 6.3 and Ultimaker 3 through 5.2.16, the local webserver can be used for clickjacking. This includes the settings page.
CVE-2021-40834 1 F-secure 1 Safe 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hides the user interface. A remote attacker can leverage this to perform spoofing attack.
CVE-2021-38508 2 Debian, Mozilla 4 Debian Linux, Firefox, Firefox Esr and 1 more 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.
CVE-2021-38472 1 Inhandnetworks 2 Ir615, Ir615 Firmware 2024-02-28 4.3 MEDIUM 4.7 MEDIUM
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 management portal does not contain an X-FRAME-OPTIONS header, which an attacker may take advantage of by sending a link to an administrator that frames the router’s management portal and could lure the administrator to perform changes.