Total
286 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-20810 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 3.3 LOW |
| Implicit intent hijacking vulnerability in Smart Suggestions prior to SMR Feb-2024 Release 1 allows local attackers to get sensitive information. | |||||
| CVE-2024-0669 | 1 Plone | 1 Plone | 2024-11-21 | N/A | 6.3 MEDIUM |
| A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element. | |||||
| CVE-2023-6867 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Firefox Esr | 2024-11-21 | N/A | 6.1 MEDIUM |
| The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121. | |||||
| CVE-2023-6211 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A | 6.5 MEDIUM |
| If an attacker needed a user to load an insecure http: page and knew that user had enabled HTTPS-only mode, the attacker could have tricked the user into clicking to grant an HTTPS-only exception if they could get the user to participate in a clicking game. This vulnerability affects Firefox < 120. | |||||
| CVE-2023-6206 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | N/A | 5.4 MEDIUM |
| The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5. | |||||
| CVE-2023-5721 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | N/A | 4.3 MEDIUM |
| It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. | |||||
| CVE-2023-5103 | 1 Sick | 2 Apu0200, Apu0200 Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
| Improper Restriction of Rendered UI Layers or Frames in RDT400 in SICK APU allows an unprivileged remote attacker to potentially reveal sensitive information via tricking a user into clicking on an actionable item using an iframe. | |||||
| CVE-2023-4958 | 1 Redhat | 1 Advanced Cluster Security | 2024-11-21 | N/A | 6.1 MEDIUM |
| In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions. | |||||
| CVE-2023-4956 | 1 Redhat | 1 Quay | 2024-11-21 | N/A | 6.5 MEDIUM |
| A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance. | |||||
| CVE-2023-4229 | 1 Moxa | 2 Iologik E4200, Iologik E4200 Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
| A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, potentially exposing users to security risks. This vulnerability may allow attackers to trick users into interacting with malicious content, leading to unintended actions or unauthorized data disclosures. | |||||
| CVE-2023-47774 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7. | |||||
| CVE-2023-47311 | 1 Spaceapplications | 1 Yacms | 2024-11-21 | N/A | 6.1 MEDIUM |
| An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcommands in a Command Stack via Clickjacking. | |||||
| CVE-2023-45698 | 1 Hcltech | 1 Sametime Chat And Meetings | 2024-11-21 | N/A | 4.8 MEDIUM |
| Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks. | |||||
| CVE-2023-42011 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | N/A | 4.3 MEDIUM |
| IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508. | |||||
| CVE-2023-41897 | 1 Home-assistant | 1 Home-assistant | 2024-11-21 | N/A | 8.8 HIGH |
| Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-3140 | 1 Knime | 1 Business Hub | 2024-11-21 | N/A | 4.3 MEDIUM |
| Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. | |||||
| CVE-2023-38873 | 1 Economizzer | 1 Economizzer | 2024-11-21 | N/A | 6.5 MEDIUM |
| The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. | |||||
| CVE-2023-37455 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A | 5.4 MEDIUM |
| The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. This vulnerability affects Firefox for iOS < 115. | |||||
| CVE-2023-36920 | 1 Sap | 4 Enable Now Enable Now Consump Del, Enable Now Wpb Manager, Enable Now Wpb Manager Ce and 1 more | 2024-11-21 | N/A | 6.1 MEDIUM |
| In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information. | |||||
| CVE-2023-30961 | 1 Palantir | 2 Gotham-fe-bundle, Titanium-browser-app-bundle | 2024-11-21 | N/A | 6.5 MEDIUM |
| Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link. | |||||