Total
270 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-21111 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-11-07 | 9.6 Critical |
| Insufficient policy enforcement in WebUI in Google Chrome prior to 87.0.4280.141 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. | ||||
| CVE-2021-1403 | 1 Cisco | 1 Ios Xe | 2023-11-07 | 7.4 High |
| A vulnerability in the web UI feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient HTTP protections in the web UI on an affected device. An attacker could exploit this vulnerability by persuading an authenticated user of the web UI to follow a crafted link. A successful exploit could allow the attacker to corrupt memory on the affected device, forcing it to reload and causing a DoS condition. | ||||
| CVE-2020-9517 | 1 Microfocus | 1 Service Manager | 2023-11-07 | 5.4 Medium |
| There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to perform UI redress attacks. | ||||
| CVE-2020-6547 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-11-07 | 6.5 Medium |
| Incorrect security UI in media in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially obtain sensitive information via a crafted HTML page. | ||||
| CVE-2020-1728 | 2 Quarkus, Redhat | 2 Quarkus, Keycloak | 2023-11-07 | 5.4 Medium |
| A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. | ||||
| CVE-2019-5861 | 1 Google | 1 Chrome | 2023-11-07 | 4.3 Medium |
| Insufficient data validation in Blink in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to bypass anti-clickjacking policy via a crafted HTML page. | ||||
| CVE-2019-5767 | 4 Debian, Fedoraproject, Google and 1 more | 7 Debian Linux, Fedora, Android and 4 more | 2023-11-07 | N/A |
| Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted APK. | ||||
| CVE-2019-3639 | 1 Mcafee | 1 Web Gateway | 2023-11-07 | N/A |
| Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-Options HTTP header. | ||||
| CVE-2018-6178 | 3 Debian, Google, Redhat | 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more | 2023-11-07 | N/A |
| Eliding from the wrong side in an infobar in DevTools in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to Hide Chrome Security UI via a crafted Chrome Extension. | ||||
| CVE-2017-5026 | 1 Google | 1 Chrome | 2023-11-07 | N/A |
| Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to prevent alerts from being displayed by swapped out frames, which allowed a remote attacker to show alerts on a page they don't control via a crafted HTML page. | ||||
| CVE-2017-5016 | 1 Google | 1 Chrome | 2023-11-07 | N/A |
| Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to prevent certain UI elements from being displayed by non-visible pages, which allowed a remote attacker to show certain UI elements on a page they don't control via a crafted HTML page. | ||||
| CVE-2023-5721 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2023-11-01 | 4.3 Medium |
| It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. | ||||
| CVE-2023-41897 | 1 Home-assistant | 1 Home-assistant | 2023-10-26 | 9.6 Critical |
| Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2020-2105 | 1 Jenkins | 1 Jenkins | 2023-10-25 | 5.4 Medium |
| REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks. | ||||
| CVE-2023-5103 | 1 Sick | 2 Apu0200, Apu0200 Firmware | 2023-10-11 | 4.3 Medium |
| Improper Restriction of Rendered UI Layers or Frames in RDT400 in SICK APU allows an unprivileged remote attacker to potentially reveal sensitive information via tricking a user into clicking on an actionable item using an iframe. | ||||
| CVE-2023-38873 | 1 Economizzer | 1 Economizzer | 2023-10-02 | 6.5 Medium |
| The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. | ||||
| CVE-2023-0654 | 1 Cloudflare | 1 Warp | 2023-09-01 | 3.7 Low |
| Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim's device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker's app. | ||||
| CVE-2023-4229 | 1 Moxa | 2 Iologik E4200, Iologik E4200 Firmware | 2023-08-29 | 4.7 Medium |
| A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, potentially exposing users to security risks. This vulnerability may allow attackers to trick users into interacting with malicious content, leading to unintended actions or unauthorized data disclosures. | ||||
| CVE-2021-0386 | 1 Google | 1 Android | 2023-08-08 | 7.8 High |
| In onCreate of UsbConfirmActivity, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-173421110 | ||||
| CVE-2022-1138 | 1 Google | 1 Chrome | 2023-08-08 | 6.5 Medium |
| Inappropriate implementation in Web Cursor in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who had compromised the renderer process to obscure the contents of the Omnibox (URL bar) via a crafted HTML page. | ||||