Vulnerabilities (CVE)

Filtered by CWE-1021
Total 250 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-2177 2024-07-09 N/A 6.8 MEDIUM
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.
CVE-2024-3911 2024-07-03 N/A 6.5 MEDIUM
An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. 
CVE-2024-30109 2024-06-28 N/A 3.7 LOW
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.
CVE-2023-42011 2024-06-27 N/A 4.3 MEDIUM
IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508.
CVE-2024-26167 2024-06-11 N/A 4.3 MEDIUM
Microsoft Edge for Android Spoofing Vulnerability
CVE-2024-2383 2024-06-07 N/A 4.3 MEDIUM
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.
CVE-2024-29981 2024-05-28 N/A 4.3 MEDIUM
Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2024-1890 2024-05-17 N/A 6.4 MEDIUM
Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.
CVE-2023-23126 1 Connectwise 1 Automate 2024-05-17 N/A 6.1 MEDIUM
Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack.
CVE-2022-36736 1 Jitsi 1 Jitsi 2024-05-17 N/A 6.1 MEDIUM
Jitsi-2.10.5550 was discovered to contain a vulnerability in its web UI which allows attackers to perform a clickjacking attack via a crafted HTTP request. NOTE: this is disputed by the vendor
CVE-2023-4958 1 Redhat 1 Advanced Cluster Security 2024-05-03 N/A 6.1 MEDIUM
In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.
CVE-2023-47774 2024-04-24 N/A 5.4 MEDIUM
Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7.
CVE-2024-20810 1 Samsung 1 Android 2024-04-02 N/A 3.3 LOW
Implicit intent hijacking vulnerability in Smart Suggestions prior to SMR Feb-2024 Release 1 allows local attackers to get sensitive information.
CVE-2024-28196 2024-03-13 N/A 6.5 MEDIUM
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account. Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether. When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2014-1483 5 Canonical, Mozilla, Opensuse and 2 more 8 Ubuntu Linux, Firefox, Seamonkey and 5 more 2024-02-14 5.0 MEDIUM N/A
Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions.
CVE-2023-6867 2 Debian, Mozilla 3 Debian Linux, Firefox, Firefox Esr 2024-02-02 N/A 6.1 MEDIUM
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121.
CVE-2015-1241 6 Canonical, Debian, Google and 3 more 11 Ubuntu Linux, Debian Linux, Chrome and 8 more 2024-01-26 4.3 MEDIUM N/A
Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack.
CVE-2024-0669 1 Plone 1 Plone 2024-01-26 N/A 7.1 HIGH
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element.
CVE-2017-7440 3 Apple, Gfi, Microsoft 4 Macos, Kerio Connect, Kerio Connect Client and 1 more 2024-01-26 4.3 MEDIUM 6.5 MEDIUM
Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop application for Windows and Mac 9.2.0 through 9.2.2, when e-mail preview is enabled, allows remote attackers to conduct clickjacking attacks via a crafted e-mail message.
CVE-2017-5697 1 Intel 1 Active Management Technology Firmware 2024-01-26 4.3 MEDIUM 6.5 MEDIUM
Insufficient clickjacking protection in the Web User Interface of Intel AMT firmware versions before 9.1.40.1000, 9.5.60.1952, 10.0.50.1004, 11.0.0.1205, and 11.6.25.1129 potentially allowing a remote attacker to hijack users web clicks via attacker's crafted web page.