Total
270 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-40268 | 1 Mitsubishielectric | 5 Gt25, Gt25 Firmware, Gt27 and 2 more | 2023-02-09 | 4.7 Medium |
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.14.000 to 01.47.000, Mitsubishi Electric Corporation GOT2000 Series GT25 model versions 01.14.000 to 01.47.000 and Mitsubishi Electric Corporation GT SoftGOT2000 versions 1.265B to 1.285X allows a remote unauthenticated attacker to lead legitimate users to perform unintended operations through clickjacking. | ||||
| CVE-2022-32517 | 1 Schneider-electric | 2 Conext Combox, Conext Combox Firmware | 2023-02-07 | 6.5 Medium |
| A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause an adversary to trick the interface user/admin into interacting with the application in an unintended way when the product does not implement restrictions on the ability to render within frames on external addresses. Affected Products: Conextâ„¢ ComBox (All Versions) | ||||
| CVE-2019-4058 | 1 Ibm | 1 Bigfix Platform | 2023-02-03 | 6.5 Medium |
| IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to manipulate the UI into exposing interface elements and information normally restricted to administrators. IBM X-Force ID: 156570. | ||||
| CVE-2023-20913 | 1 Google | 1 Android | 2023-02-02 | 7.8 High |
| In onCreate of PhoneAccountSettingsActivity.java and related files, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-246933785 | ||||
| CVE-2022-20215 | 1 Google | 1 Android | 2023-02-01 | 5.5 Medium |
| In onCreate of MasterClearConfirmFragment.java, there is a possible factory reset due to a tapjacking/overlay attack. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-183794206 | ||||
| CVE-2022-20214 | 1 Google | 1 Android | 2023-02-01 | 4.7 Medium |
| In Car Settings app, the toggle button in Modify system settings is vulnerable to tapjacking attack. Attackers can overlay the toggle button to enable apps to modify system settings without user consent.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-183411210 | ||||
| CVE-2023-0057 | 2 Pyload, Pyload-ng Project | 2 Pyload, Pyload-ng | 2023-01-11 | 6.1 Medium |
| Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33. | ||||
| CVE-2020-9993 | 1 Apple | 4 Ipados, Iphone Os, Safari and 1 more | 2023-01-09 | 4.3 Medium |
| The issue was addressed with improved UI handling. This issue is fixed in watchOS 7.0, Safari 14.0, iOS 14.0 and iPadOS 14.0. Visiting a malicious website may lead to address bar spoofing. | ||||
| CVE-2022-45417 | 1 Mozilla | 1 Firefox | 2023-01-04 | 4.3 Medium |
| Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk. This vulnerability affects Firefox < 107. | ||||
| CVE-2022-45418 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-01-04 | 6.1 Medium |
| If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. | ||||
| CVE-2022-45420 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-01-04 | 6.5 Medium |
| Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107. | ||||
| CVE-2022-29911 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2023-01-04 | 6.1 Medium |
| An improper implementation of the new iframe sandbox keyword <code>allow-top-navigation-by-user-activation</code> could lead to script execution without <code>allow-scripts</code> being present. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100. | ||||
| CVE-2022-3034 | 1 Mozilla | 1 Thunderbird | 2022-12-30 | 4.3 Medium |
| When receiving an HTML email that specified to load an <code>iframe</code> element from a remote location, a request to the remote document was sent. However, Thunderbird didn't display the document. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. | ||||
| CVE-2022-28286 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2022-12-30 | 5.4 Medium |
| Due to a layout change, iframe contents could have been rendered outside of its border. This could have led to user confusion or spoofing attacks. This vulnerability affects Thunderbird < 91.8, Firefox < 99, and Firefox ESR < 91.8. | ||||
| CVE-2022-20553 | 1 Google | 1 Android | 2022-12-21 | 6.5 Medium |
| In onCreate of LogAccessDialogActivity.java, there is a possible way to bypass a permission check due to a tapjacking/overlay attack. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-244155265 | ||||
| CVE-2022-20520 | 1 Google | 1 Android | 2022-12-20 | 7.8 High |
| In onCreate of various files, there is a possible tapjacking/overlay attack. This could lead to local escalation of privilege or denial of server with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-227203202 | ||||
| CVE-2022-46061 | 1 Aerocms Project | 1 Aerocms | 2022-12-16 | 6.1 Medium |
| AeroCMS v0.0.1 is vulnerable to ClickJacking. | ||||
| CVE-2022-20501 | 1 Google | 1 Android | 2022-12-15 | 7.3 High |
| In onCreate of EnableAccountPreferenceActivity.java, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-246933359 | ||||
| CVE-2022-20442 | 1 Google | 1 Android | 2022-12-15 | 7.3 High |
| In onCreate of ReviewPermissionsActivity.java, there is a possible way to grant permissions for a separate app with API level < 23 due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-176094367 | ||||
| CVE-2019-13924 | 1 Siemens | 16 Scalance X-200irt, Scalance X-200irt Firmware, Scalance X-300 and 13 more | 2022-12-13 | 5.4 Medium |
| A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET variants) (All versions < 5.2.4), SCALANCE X-200IRT switch family (incl. SIPLUS NET variants) (All versions < V5.5.0), SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < 4.1.3). The device does not send the X-Frame-Option Header in the administrative web interface, which makes it vulnerable to Clickjacking attacks. The security vulnerability could be exploited by an attacker that is able to trick an administrative user with a valid session on the target device into clicking on a website controlled by the attacker. The vulnerability could allow an attacker to perform administrative actions via the web interface. | ||||