Total
270 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-0391 | 1 Google | 1 Android | 2023-08-08 | 7.8 High |
| In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172841550 | ||||
| CVE-2022-1138 | 1 Google | 1 Chrome | 2023-08-08 | 6.5 Medium |
| Inappropriate implementation in Web Cursor in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who had compromised the renderer process to obscure the contents of the Omnibox (URL bar) via a crafted HTML page. | ||||
| CVE-2022-20213 | 1 Google | 1 Android | 2023-08-08 | 5.5 Medium |
| In ApplicationsDetailsActivity of AndroidManifest.xml, there is a possible DoS due to a tapjacking/overlay attack. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-183410508 | ||||
| CVE-2021-37788 | 1 Gurock | 1 Testrail | 2023-08-08 | 5.4 Medium |
| A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. | ||||
| CVE-2021-35237 | 1 Solarwinds | 1 Kiwi Syslog Server | 2023-08-03 | 4.3 Medium |
| A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server. | ||||
| CVE-2023-37455 | 1 Mozilla | 1 Firefox | 2023-07-20 | 5.4 Medium |
| The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. This vulnerability affects Firefox for iOS < 115. | ||||
| CVE-2022-20443 | 1 Google | 1 Android | 2023-07-05 | 7.8 High |
| In hasInputInfo of Layer.cpp, there is a possible bypass of user interaction requirements due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-194480991 | ||||
| CVE-2023-23343 | 1 Hcltech | 1 Bigfix Osd Bare Metal Server | 2023-07-03 | 6.1 Medium |
| A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain. | ||||
| CVE-2023-3140 | 1 Knime | 1 Business Hub | 2023-06-16 | 4.3 Medium |
| Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. | ||||
| CVE-2022-32891 | 1 Apple | 4 Iphone Os, Safari, Tvos and 1 more | 2023-05-30 | 6.1 Medium |
| The issue was addressed with improved UI handling. This issue is fixed in Safari 16, tvOS 16, watchOS 9, iOS 16. Visiting a website that frames malicious content may lead to UI spoofing. | ||||
| CVE-2019-19001 | 1 Hitachienergy | 1 Esoms | 2023-05-16 | 6.5 Medium |
| For ABB eSOMS versions 4.0 to 6.0.2, the X-Frame-Options header is not configured in HTTP response. This can potentially allow 'ClickJacking' attacks where an attacker can frame parts of the application on a malicious web site, revealing sensitive user information such as authentication credentials. | ||||
| CVE-2021-27414 | 1 Hitachienergy | 1 Ellipse Enterprise Asset Management | 2023-05-16 | 6.1 Medium |
| An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials. | ||||
| CVE-2022-43378 | 1 Schneider-electric | 10 Netbotz 355, Netbotz 355 Firmware, Netbotz 450 and 7 more | 2023-04-27 | 6.5 Medium |
| A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | ||||
| CVE-2021-46708 | 1 Smartbear | 1 Swagger-ui-dist | 2023-03-28 | 6.1 Medium |
| The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | ||||
| CVE-2023-1362 | 1 Bumsys Project | 1 Bumsys | 2023-03-15 | 6.1 Medium |
| Improper Restriction of Rendered UI Layers or Frames in GitHub repository unilogies/bumsys prior to v2.0.2. | ||||
| CVE-2020-10951 | 1 Westerndigital | 2 Ibi, My Cloud Home | 2023-03-01 | 4.7 Medium |
| Western Digital My Cloud Home and ibi devices before 2.2.0 allow clickjacking on sign-in pages. | ||||
| CVE-2022-22807 | 1 Schneider-electric | 14 Hmibscea53d1edb, Hmibscea53d1edb Firmware, Hmibscea53d1edl and 11 more | 2023-02-22 | 7.4 High |
| A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13) | ||||
| CVE-2023-0780 | 1 Agentejo | 1 Cockpit | 2023-02-22 | 5.4 Medium |
| Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev. | ||||
| CVE-2021-3660 | 2 Cockpit-project, Redhat | 2 Cockpit, Enterprise Linux | 2023-02-12 | 4.3 Medium |
| Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks. | ||||
| CVE-2020-10743 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2023-02-12 | 4.3 Medium |
| It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking. | ||||