Total
330 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-65922 | 2026-01-08 | N/A | 4.3 MEDIUM | ||
| PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes." | |||||
| CVE-2025-59849 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2026-01-06 | N/A | 4.7 MEDIUM |
| Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages. | |||||
| CVE-2025-59479 | 1 Inaba | 2 Ib-mct001, Ib-mct001 Firmware | 2025-12-23 | N/A | 6.1 MEDIUM |
| CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product. | |||||
| CVE-2025-14809 | 2025-12-19 | N/A | 7.4 HIGH | ||
| ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | |||||
| CVE-2025-14812 | 2025-12-19 | N/A | 7.5 HIGH | ||
| ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | |||||
| CVE-2025-14373 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-19 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-48639 | 1 Google | 1 Android | 2025-12-08 | N/A | 7.3 HIGH |
| In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-48597 | 1 Google | 1 Android | 2025-12-08 | N/A | 7.8 HIGH |
| In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-36149 | 1 Ibm | 1 Concert | 2025-12-02 | N/A | 6.3 MEDIUM |
| IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. | |||||
| CVE-2025-63522 | 1 Feehi | 1 Feehicms | 2025-12-02 | N/A | 4.6 MEDIUM |
| Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | |||||
| CVE-2025-54527 | 1 Jetbrains | 1 Youtrack | 2025-12-01 | N/A | 6.1 MEDIUM |
| In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions | |||||
| CVE-2025-13132 | 2025-11-25 | N/A | 7.4 HIGH | ||
| This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | |||||
| CVE-2025-0421 | 2025-11-19 | N/A | 4.7 MEDIUM | ||
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025. | |||||
| CVE-2024-40817 | 1 Apple | 2 Macos, Safari | 2025-11-04 | N/A | 6.1 MEDIUM |
| The issue was addressed with improved UI handling. This issue is fixed in macOS Sonoma 14.6, Safari 17.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing. | |||||
| CVE-2025-64387 | 2025-11-04 | N/A | N/A | ||
| The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. | |||||
| CVE-2025-30191 | 2025-11-04 | N/A | 5.4 MEDIUM | ||
| Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known | |||||
| CVE-2024-11695 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 5.4 MEDIUM |
| A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | |||||
| CVE-2025-5267 | 1 Mozilla | 1 Firefox | 2025-11-03 | N/A | 5.4 MEDIUM |
| A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2024-30109 | 1 Hcltech | 1 Dryice Aex | 2025-10-30 | N/A | 3.7 LOW |
| HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended. | |||||
| CVE-2025-28129 | 1 Phpgurukul | 1 Hostel Management System | 2025-10-21 | N/A | 5.4 MEDIUM |
| Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking. | |||||