Total
245 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-27773 | 1 Hcltech | 1 Sametime | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
This vulnerability allows users to execute a clickjacking attack in the meeting's chat. | |||||
CVE-2022-28649 | 1 Jetbrains | 1 Youtrack | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description | |||||
CVE-2022-1803 | 1 Trudesk Project | 1 Trudesk | 2023-12-10 | 4.9 MEDIUM | 6.9 MEDIUM |
Improper Restriction of Rendered UI Layers or Frames in GitHub repository polonel/trudesk prior to 1.2.2. | |||||
CVE-2021-39691 | 1 Google | 1 Android | 2023-12-10 | 6.9 MEDIUM | 7.3 HIGH |
In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-157929241 | |||||
CVE-2017-20041 | 1 Ucweb | 1 Uc Browser | 2023-12-10 | 4.3 MEDIUM | 6.5 MEDIUM |
A vulnerability was found in Ucweb UC Browser 11.2.5.932. It has been classified as critical. Affected is an unknown function of the component HTML Handler. The manipulation of the argument title leads to improper restriction of rendered ui layers (URL). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2022-24733 | 1 Sylius | 1 Sylius | 2023-12-10 | 5.8 MEDIUM | 6.1 MEDIUM |
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app. | |||||
CVE-2021-39702 | 1 Google | 1 Android | 2023-12-10 | 9.3 HIGH | 7.8 HIGH |
In onCreate of RequestManageCredentials.java, there is a possible way for a third party app to install certificates without user approval due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-205150380 | |||||
CVE-2022-22807 | 1 Schneider-electric | 14 Hmibscea53d1edb, Hmibscea53d1edb Firmware, Hmibscea53d1edl and 11 more | 2023-12-10 | 4.3 MEDIUM | 7.4 HIGH |
A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13) | |||||
CVE-2022-27220 | 1 Siemens | 1 Sinema Remote Connect Server | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 6220. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors. | |||||
CVE-2022-0110 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
Incorrect security UI in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||||
CVE-2021-27414 | 1 Hitachienergy | 1 Ellipse Enterprise Asset Management | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials. | |||||
CVE-2021-39669 | 1 Google | 1 Android | 2023-12-10 | 4.4 MEDIUM | 7.8 HIGH |
In onCreate of InstallCaCertificateWarning.java, there is a possible way to mislead an user about CA installation circumstances due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-196969991 | |||||
CVE-2021-46708 | 1 Smartbear | 1 Swagger-ui-dist | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | |||||
CVE-2021-39796 | 1 Google | 1 Android | 2023-12-10 | 6.9 MEDIUM | 7.3 HIGH |
In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there is a possible way to trick victim to install harmful app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-205595291 | |||||
CVE-2022-27219 | 1 Siemens | 1 Sinema Remote Connect Server | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 443. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors. | |||||
CVE-2021-41657 | 1 Smartbear | 1 Collaborator | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
SmartBear CodeCollaborator v6.1.6102 was discovered to contain a vulnerability in the web UI which would allow an attacker to conduct a clickjacking attack. | |||||
CVE-2021-39692 | 1 Google | 1 Android | 2023-12-10 | 9.3 HIGH | 7.8 HIGH |
In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539 | |||||
CVE-2021-29865 | 3 Ibm, Linux, Microsoft | 3 Jazz Team Server, Linux Kernel, Windows | 2023-12-10 | 4.9 MEDIUM | 5.4 MEDIUM |
IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 206091. | |||||
CVE-2021-44683 | 1 Duckduckgo | 1 Duckduckgo | 2023-12-10 | 5.8 MEDIUM | 8.2 HIGH |
The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site. | |||||
CVE-2021-3660 | 2 Cockpit-project, Redhat | 2 Cockpit, Enterprise Linux | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks. |