Total
272 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39320 | 2024-07-30 | N/A | 6.1 MEDIUM | ||
| Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5. | |||||
| CVE-2024-1890 | 2024-07-17 | N/A | 6.4 MEDIUM | ||
| Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier. | |||||
| CVE-2023-23126 | 1 Connectwise | 1 Automate | 2024-07-16 | N/A | 6.1 MEDIUM |
| Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack. | |||||
| CVE-2024-2177 | 2024-07-09 | N/A | 6.8 MEDIUM | ||
| A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. | |||||
| CVE-2024-3911 | 2024-07-03 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. | |||||
| CVE-2024-30109 | 2024-06-28 | N/A | 3.7 LOW | ||
| HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended. | |||||
| CVE-2023-42011 | 2024-06-27 | N/A | 4.3 MEDIUM | ||
| IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508. | |||||
| CVE-2024-26167 | 2024-06-11 | N/A | 4.3 MEDIUM | ||
| Microsoft Edge for Android Spoofing Vulnerability | |||||
| CVE-2024-2383 | 2024-06-07 | N/A | 4.3 MEDIUM | ||
| A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3. | |||||
| CVE-2024-29981 | 2024-05-28 | N/A | 4.3 MEDIUM | ||
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
| CVE-2022-36736 | 1 Jitsi | 1 Jitsi | 2024-05-17 | N/A | 6.1 MEDIUM |
| Jitsi-2.10.5550 was discovered to contain a vulnerability in its web UI which allows attackers to perform a clickjacking attack via a crafted HTTP request. NOTE: this is disputed by the vendor | |||||
| CVE-2023-4958 | 1 Redhat | 1 Advanced Cluster Security | 2024-05-03 | N/A | 6.1 MEDIUM |
| In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions. | |||||
| CVE-2023-47774 | 2024-04-24 | N/A | 5.4 MEDIUM | ||
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7. | |||||
| CVE-2024-20810 | 1 Samsung | 1 Android | 2024-04-02 | N/A | 3.3 LOW |
| Implicit intent hijacking vulnerability in Smart Suggestions prior to SMR Feb-2024 Release 1 allows local attackers to get sensitive information. | |||||
| CVE-2024-28196 | 2024-03-13 | N/A | 6.5 MEDIUM | ||
| your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account. Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether. When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2014-1483 | 5 Canonical, Mozilla, Opensuse and 2 more | 8 Ubuntu Linux, Firefox, Seamonkey and 5 more | 2024-02-14 | 5.0 MEDIUM | N/A |
| Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint functions. | |||||
| CVE-2023-6867 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Firefox Esr | 2024-02-02 | N/A | 6.1 MEDIUM |
| The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121. | |||||
| CVE-2015-1241 | 6 Canonical, Debian, Google and 3 more | 11 Ubuntu Linux, Debian Linux, Chrome and 8 more | 2024-01-26 | 4.3 MEDIUM | N/A |
| Google Chrome before 42.0.2311.90 does not properly consider the interaction of page navigation with the handling of touch events and gesture events, which allows remote attackers to trigger unintended UI actions via a crafted web site that conducts a "tapjacking" attack. | |||||
| CVE-2024-0669 | 1 Plone | 1 Plone | 2024-01-26 | N/A | 7.1 HIGH |
| A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element. | |||||
| CVE-2017-7440 | 3 Apple, Gfi, Microsoft | 4 Macos, Kerio Connect, Kerio Connect Client and 1 more | 2024-01-26 | 4.3 MEDIUM | 6.5 MEDIUM |
| Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop application for Windows and Mac 9.2.0 through 9.2.2, when e-mail preview is enabled, allows remote attackers to conduct clickjacking attacks via a crafted e-mail message. | |||||