Total
240 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-30109 | 2024-06-28 | N/A | 3.7 LOW | ||
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended. | |||||
CVE-2024-26167 | 2024-06-11 | N/A | 4.3 MEDIUM | ||
Microsoft Edge for Android Spoofing Vulnerability | |||||
CVE-2024-29981 | 2024-05-28 | N/A | 4.3 MEDIUM | ||
Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
CVE-2023-4958 | 1 Redhat | 1 Advanced Cluster Security | 2024-05-03 | N/A | 6.1 MEDIUM |
In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions. | |||||
CVE-2023-47774 | 2024-04-24 | N/A | 5.4 MEDIUM | ||
Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7. | |||||
CVE-2024-20810 | 1 Samsung | 1 Android | 2024-04-02 | N/A | 3.3 LOW |
Implicit intent hijacking vulnerability in Smart Suggestions prior to SMR Feb-2024 Release 1 allows local attackers to get sensitive information. | |||||
CVE-2024-28196 | 2024-03-13 | N/A | 6.5 MEDIUM | ||
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account. Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether. When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2014-1483 | 5 Canonical, Mozilla, Opensuse and 2 more | 8 Ubuntu Linux, Firefox, Seamonkey and 5 more | 2024-02-14 | 5.0 MEDIUM | N/A |
Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions. | |||||
CVE-2023-6211 | 1 Mozilla | 1 Firefox | 2024-02-05 | N/A | 6.5 MEDIUM |
If an attacker needed a user to load an insecure http: page and knew that user had enabled HTTPS-only mode, the attacker could have tricked the user into clicking to grant an HTTPS-only exception if they could get the user to participate in a clicking game. This vulnerability affects Firefox < 120. | |||||
CVE-2023-2265 | 1 Selinc | 2 Sel-411l, Sel-411l Firmware | 2024-02-05 | N/A | 6.1 MEDIUM |
An Improper Restriction of Rendered UI Layers or Frames in the Schweitzer Engineering Laboratories SEL-411L could allow an unauthenticated attacker to perform clickjacking based attacks against an authenticated and authorized user. See product Instruction Manual Appendix A dated 20230830 for more details. | |||||
CVE-2023-4956 | 1 Redhat | 1 Quay | 2024-02-05 | N/A | 4.3 MEDIUM |
A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance. | |||||
CVE-2023-47311 | 1 Spaceapplications | 1 Yacms | 2024-02-05 | N/A | 6.1 MEDIUM |
An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcommands in a Command Stack via Clickjacking. | |||||
CVE-2024-0669 | 1 Plone | 1 Plone | 2024-02-05 | N/A | 7.1 HIGH |
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element. | |||||
CVE-2022-32919 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-02-05 | N/A | 4.7 MEDIUM |
The issue was addressed with improved UI handling. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1. Visiting a website that frames malicious content may lead to UI spoofing. | |||||
CVE-2023-6206 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-02-05 | N/A | 5.4 MEDIUM |
The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. | |||||
CVE-2023-37455 | 1 Mozilla | 1 Firefox | 2024-02-05 | N/A | 5.4 MEDIUM |
The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. This vulnerability affects Firefox for iOS < 115. | |||||
CVE-2023-23343 | 1 Hcltech | 1 Bigfix Osd Bare Metal Server | 2024-02-04 | N/A | 6.1 MEDIUM |
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain. | |||||
CVE-2022-43378 | 1 Schneider-electric | 10 Netbotz 355, Netbotz 355 Firmware, Netbotz 450 and 7 more | 2024-02-04 | N/A | 6.5 MEDIUM |
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause the user to be tricked into performing unintended actions when external address frames are not properly restricted. Affected Products: NetBotz 4 - 355/450/455/550/570 (V4.7.0 and prior) | |||||
CVE-2023-3140 | 1 Knime | 1 Business Hub | 2024-02-04 | N/A | 4.3 MEDIUM |
Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. | |||||
CVE-2022-20443 | 1 Google | 1 Android | 2024-02-04 | N/A | 7.8 HIGH |
In hasInputInfo of Layer.cpp, there is a possible bypass of user interaction requirements due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-194480991 |