Total
245 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2021-1036 | 1 Google | 1 Android | 2023-12-10 | 6.8 MEDIUM | 7.8 HIGH |
In LocationSettingsActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-182812255 | |||||
CVE-2021-38508 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3. | |||||
CVE-2021-43048 | 1 Tibco | 1 Partnerexpress | 2023-12-10 | 10.0 HIGH | 9.8 CRITICAL |
The Interior Server and Gateway Server components of TIBCO Software Inc.'s TIBCO PartnerExpress contain a vulnerability that theoretically allows an unauthenticated attacker with network access to execute a clickjacking attack on the affected system. A successful attack using this vulnerability does not require human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: versions 6.2.1 and below. | |||||
CVE-2021-1006 | 1 Google | 1 Android | 2023-12-10 | 2.1 LOW | 4.4 MEDIUM |
In several functions of DatabaseManager.java, there is a possible leak of Bluetooth MAC addresses due to log information disclosure. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-183961974 | |||||
CVE-2021-43546 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor. This vulnerability affects Thunderbird < 91.4.0, Firefox ESR < 91.4.0, and Firefox < 95. | |||||
CVE-2021-3799 | 1 Getgrav | 1 Grav-plugin-admin | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
grav-plugin-admin is vulnerable to Improper Restriction of Rendered UI Layers or Frames | |||||
CVE-2021-22866 | 1 Github | 1 Enterprise Server | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App on the instance and have a user authorize the application through the web authentication flow. All permissions being granted would properly be shown during the first authorization, but in certain circumstances, if the user revisits the authorization flow after the GitHub App has configured additional user-level permissions, those additional permissions may not be shown, leading to more permissions being granted than the user potentially intended. This vulnerability affected GitHub Enterprise Server 3.0.x prior to 3.0.7 and 2.22.x prior to 2.22.13. It was fixed in versions 3.0.7 and 2.22.13. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
CVE-2021-0537 | 1 Google | 1 Android | 2023-12-10 | 4.4 MEDIUM | 7.3 HIGH |
In onCreate of WiFiInstaller.java, there is a possible way to install a malicious Hotspot 2.0 configuration due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-176756141 | |||||
CVE-2021-0586 | 1 Google | 1 Android | 2023-12-10 | 6.9 MEDIUM | 7.8 HIGH |
In onCreate of DevicePickerFragment.java, there is a possible way to trick the user to select an unwanted bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-182584940 | |||||
CVE-2021-0506 | 1 Google | 1 Android | 2023-12-10 | 6.9 MEDIUM | 7.3 HIGH |
In ActivityPicker.java, there is a possible bypass of user interaction in intent resolution due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-181962311 | |||||
CVE-2021-20560 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Sterling Connect Direct User Interface and 3 more | 2023-12-10 | 4.9 MEDIUM | 5.4 MEDIUM |
IBM Sterling Connect:Direct Browser User Interface 1.4.1.1 and 1.5.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 199229. | |||||
CVE-2021-0523 | 1 Google | 1 Android | 2023-12-10 | 4.4 MEDIUM | 7.3 HIGH |
In onCreate of WifiScanModeActivity.java, there is a possible way to enable Wi-Fi scanning without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-174047492 | |||||
CVE-2021-3731 | 2 Debian, Ledgersmb | 2 Debian Linux, Ledgersmb | 2023-12-10 | 4.3 MEDIUM | 4.7 MEDIUM |
LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to 'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions. | |||||
CVE-2021-3734 | 1 Yourls | 1 Yourls | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames | |||||
CVE-2021-0569 | 1 Google | 1 Android | 2023-12-10 | 1.9 LOW | 5.0 MEDIUM |
In onStart of ContactsDumpActivity.java, there is possible access to contacts due to a tapjacking/overlay attack. This could lead to local information disclosure with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174045870 | |||||
CVE-2021-37788 | 1 Gurock | 1 Testrail | 2023-12-10 | 4.3 MEDIUM | 5.4 MEDIUM |
A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. | |||||
CVE-2021-35300 | 1 Zammad | 1 Zammad | 2023-12-10 | 4.3 MEDIUM | 4.3 MEDIUM |
Text injection/Content Spoofing in 404 page in Zammad 1.0.x up to 4.0.0 could allow remote attackers to manipulate users into visiting the attackers' page. | |||||
CVE-2021-32070 | 1 Mitel | 1 Micollab | 2023-12-10 | 5.8 MEDIUM | 5.4 MEDIUM |
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to perform a clickjacking attack due to an insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users. | |||||
CVE-2021-0538 | 1 Google | 1 Android | 2023-12-10 | 4.4 MEDIUM | 7.3 HIGH |
In onCreate of EmergencyCallbackModeExitDialog.java, there is a possible exit of emergency callback mode due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-178821491 | |||||
CVE-2021-33596 | 1 F-secure | 1 Safe | 2023-12-10 | 3.5 LOW | 4.1 MEDIUM |
Showing the legitimate URL in the address bar while loading the content from other domain. This makes the user believe that the content is served by a legit domain. Exploiting the vulnerability requires the user to click on a specially crafted, seemingly legitimate URL containing an embedded malicious redirect while using F-Secure Safe Browser for iOS. |