Total
279 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-20560 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Sterling Connect Direct User Interface and 3 more | 2024-02-28 | 4.9 MEDIUM | 5.4 MEDIUM |
IBM Sterling Connect:Direct Browser User Interface 1.4.1.1 and 1.5.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 199229. | |||||
CVE-2021-0537 | 1 Google | 1 Android | 2024-02-28 | 4.4 MEDIUM | 7.3 HIGH |
In onCreate of WiFiInstaller.java, there is a possible way to install a malicious Hotspot 2.0 configuration due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-176756141 | |||||
CVE-2021-0523 | 1 Google | 1 Android | 2024-02-28 | 4.4 MEDIUM | 7.3 HIGH |
In onCreate of WifiScanModeActivity.java, there is a possible way to enable Wi-Fi scanning without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-174047492 | |||||
CVE-2021-33596 | 1 F-secure | 1 Safe | 2024-02-28 | 3.5 LOW | 4.1 MEDIUM |
Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. Exploiting the vulnerability requires the user to click on a specially crafted, seemingly legitimate URL containing an embedded malicious redirect while using F-Secure Safe Browser for iOS. | |||||
CVE-2021-0586 | 1 Google | 1 Android | 2024-02-28 | 6.9 MEDIUM | 7.8 HIGH |
In onCreate of DevicePickerFragment.java, there is a possible way to trick the user to select an unwanted bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-182584940 | |||||
CVE-2021-0438 | 1 Google | 1 Android | 2024-02-28 | 4.4 MEDIUM | 7.8 HIGH |
In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-152064592 | |||||
CVE-2021-3734 | 1 Yourls | 1 Yourls | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames | |||||
CVE-2021-32070 | 1 Mitel | 1 Micollab | 2024-02-28 | 5.8 MEDIUM | 5.4 MEDIUM |
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to perform a clickjacking attack due to an insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users. | |||||
CVE-2021-0433 | 1 Google | 1 Android | 2024-02-28 | 5.4 MEDIUM | 8.0 HIGH |
In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090 | |||||
CVE-2021-0506 | 1 Google | 1 Android | 2024-02-28 | 6.9 MEDIUM | 7.3 HIGH |
In ActivityPicker.java, there is a possible bypass of user interaction in intent resolution due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-181962311 | |||||
CVE-2021-3731 | 2 Debian, Ledgersmb | 2 Debian Linux, Ledgersmb | 2024-02-28 | 4.3 MEDIUM | 4.7 MEDIUM |
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions. | |||||
CVE-2021-0538 | 1 Google | 1 Android | 2024-02-28 | 4.4 MEDIUM | 7.3 HIGH |
In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible exit of emergency callback mode due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-178821491 | |||||
CVE-2021-0446 | 1 Google | 1 Android | 2024-02-28 | 4.4 MEDIUM | 7.3 HIGH |
In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-172252122 | |||||
CVE-2021-0487 | 1 Google | 1 Android | 2024-02-28 | 7.2 HIGH | 7.8 HIGH |
In onCreate of CalendarDebugActivity.java, there is a possible way to export calendar data to the sdcard without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174046397 | |||||
CVE-2021-35300 | 1 Zammad | 1 Zammad | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page. | |||||
CVE-2021-27467 | 1 Emerson | 8 X-stream Enhanced Xefd, X-stream Enhanced Xefd Firmware, X-stream Enhanced Xegk and 5 more | 2024-02-28 | 5.8 MEDIUM | 6.1 MEDIUM |
A vulnerability has been found in multiple revisions of Emerson Rosemount X-STREAM Gas Analyzer. The affected product’s web interface allows an attacker to route click or keystroke to another page provided by the attacker to gain unauthorized access to sensitive information. | |||||
CVE-2021-22866 | 1 Github | 1 Enterprise Server | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
CVE-2021-0603 | 1 Google | 1 Android | 2024-02-28 | 4.4 MEDIUM | 7.8 HIGH |
In onCreate of ContactSelectionActivity.java, there is a possible way to get access to contacts without permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-182809425 | |||||
CVE-2021-37788 | 1 Gurock | 1 Testrail | 2024-02-28 | 4.3 MEDIUM | 5.4 MEDIUM |
A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. | |||||
CVE-2020-7371 | 1 Raiseitsolutions | 1 Rits Browser | 2024-02-28 | 4.3 MEDIUM | 4.3 MEDIUM |
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser version 3.3.9 and prior versions. |