Vulnerabilities (CVE)

Filtered by CWE-1021
Total 280 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-0433 1 Google 1 Android 2024-11-21 5.4 MEDIUM 8.0 HIGH
In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege and pairing malicious devices with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171221090
CVE-2021-0391 1 Google 1 Android 2024-11-21 6.8 MEDIUM 7.8 HIGH
In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172841550
CVE-2021-0386 1 Google 1 Android 2024-11-21 6.8 MEDIUM 7.8 HIGH
In onCreate of UsbConfirmActivity, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173421110
CVE-2021-0333 1 Google 1 Android 2024-11-21 6.9 MEDIUM 7.3 HIGH
In onCreate of BluetoothPermissionActivity.java, there is a possible permissions bypass due to a tapjacking overlay that obscures the phonebook permissions dialog when a Bluetooth device is connecting. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-168504491
CVE-2021-0331 1 Google 1 Android 2024-11-21 6.9 MEDIUM 7.3 HIGH
In onCreate of NotificationAccessConfirmationActivity.java, there is a possible overlay attack due to an insecure default value. This could lead to local escalation of privilege and notification access with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-170731783
CVE-2021-0315 1 Google 1 Android 2024-11-21 4.4 MEDIUM 7.3 HIGH
In onCreate of GrantCredentialsPermissionActivity.java, there is a possible way to convince the user to grant an app access to an account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-169763814.
CVE-2021-0314 1 Google 1 Android 2024-11-21 6.9 MEDIUM 7.3 HIGH
In onCreate of UninstallerActivity, there is a possible way to uninstall an all without informed user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-171221302
CVE-2021-0305 1 Google 1 Android 2024-11-21 9.3 HIGH 7.8 HIGH
In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-154015447
CVE-2021-0302 1 Google 1 Android 2024-11-21 9.3 HIGH 7.8 HIGH
In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-155287782
CVE-2020-9993 1 Apple 4 Ipados, Iphone Os, Safari and 1 more 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
The issue was addressed with improved UI handling. This issue is fixed in watchOS 7.0, Safari 14.0, iOS 14.0 and iPadOS 14.0. Visiting a malicious website may lead to address bar spoofing.
CVE-2020-9987 1 Apple 1 Safari 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in Safari 14.0. Visiting a malicious website may lead to address bar spoofing.
CVE-2020-9945 1 Apple 2 Mac Os X, Safari 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, Safari 14.0.1. Visiting a malicious website may lead to address bar spoofing.
CVE-2020-9942 1 Apple 2 Mac Os X, Safari 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, Safari 13.1.2. Visiting a malicious website may lead to address bar spoofing.
CVE-2020-9517 1 Microfocus 1 Service Manager 2024-11-21 4.9 MEDIUM 5.4 MEDIUM
There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to perform UI redress attacks.
CVE-2020-9444 1 Zulip 1 Zulip Server 2024-11-21 5.8 MEDIUM 6.1 MEDIUM
Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality.
CVE-2020-7705 1 Mintegral 1 Mintegraladsdk 2024-11-21 5.8 MEDIUM 7.1 HIGH
This affects the package MintegralAdSDK from 0.0.0. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company, along with performing advertisement attribution fraud. Mintegral can remotely activate hooks on the UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters and NSURLProtocol methods along with anti-debug and proxy detection protection. If those hooks are active MintegralAdSDK sends obfuscated data about every opened URL in an application to their servers. Note that the malicious functionality is enabled even if the SDK was not enabled to serve ads.
CVE-2020-7371 1 Raiseitsolutions 1 Rits Browser 2024-11-21 4.3 MEDIUM 4.3 MEDIUM
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser version 3.3.9 and prior versions.
CVE-2020-6827 2 Google, Mozilla 2 Android, Firefox Esr 2024-11-21 4.3 MEDIUM 4.7 MEDIUM
When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. <br> *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.7.
CVE-2020-6547 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2024-11-21 4.3 MEDIUM 6.5 MEDIUM
Incorrect security UI in media in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially obtain sensitive information via a crafted HTML page.
CVE-2020-5679 1 Ec-cube 1 Ec-cube 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be conducted.