Total
372 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-2613 | 1 Mozilla | 1 Firefox | 2025-02-25 | N/A | 7.5 HIGH |
|
Data was not properly sanitized when decoding a QUIC ACK frame; this could have led to unrestricted memory consumption and a crash. This vulnerability affects Firefox < 124.
|
|||||
| CVE-2025-24874 | 2025-02-18 | N/A | 6.8 MEDIUM | ||
|
SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information.
|
|||||
| CVE-2024-49796 | 1 Ibm | 1 Applinx | 2025-02-13 | N/A | 5.4 MEDIUM |
|
IBM ApplinX 11.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.
|
|||||
| CVE-2024-28196 | 1 Yooooomi | 1 Your Spotify | 2025-02-12 | N/A | 6.5 MEDIUM |
|
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account. Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit ...
Show More |
|||||
| CVE-2025-1019 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-06 | N/A | 4.3 MEDIUM |
|
The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
|
|||||
| CVE-2025-1018 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-06 | N/A | 5.3 MEDIUM |
|
The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135.
|
|||||
| CVE-2024-6466 | 2025-01-21 | N/A | 5.3 MEDIUM | ||
|
NEC Corporation's WebSAM DeploymentManager v6.0 to v6.80 allows an attacker to reset configurations or restart products via network with X-FRAME-OPTIONS is not specified.
|
|||||
| CVE-2023-25730 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-10 | N/A | 5.4 MEDIUM |
|
A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.
|
|||||
| CVE-2023-25748 | 1 Mozilla | 1 Firefox | 2025-01-09 | N/A | 4.3 MEDIUM |
|
By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 111.
|
|||||
| CVE-2023-28159 | 1 Mozilla | 1 Firefox | 2025-01-09 | N/A | 4.3 MEDIUM |
|
The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 111.
|
|||||
| CVE-2023-2013 | 1 Gitlab | 1 Gitlab | 2025-01-07 | N/A | 2.6 LOW |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code.
|
|||||
| CVE-2024-29981 | 1 Microsoft | 1 Edge Chromium | 2025-01-06 | N/A | 4.3 MEDIUM |
|
Microsoft Edge (Chromium-based) Spoofing Vulnerability
|
|||||
| CVE-2024-31323 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In onCreate of multiple files, there is a possible way to trick the user into granting health permissions due to tapjacking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-34743 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In setTransactionState of SurfaceFlinger.cpp, there is a possible way to perform tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-7404 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.8 MEDIUM |
|
An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow.
|
|||||
| CVE-2024-2177 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.8 MEDIUM |
|
A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload.
|
|||||
| CVE-2024-55888 | 2024-12-12 | N/A | 7.1 HIGH | ||
|
Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue.
|
|||||
| CVE-2024-26167 | 1 Microsoft | 1 Edge | 2024-11-29 | N/A | 4.3 MEDIUM |
|
Microsoft Edge for Android Spoofing Vulnerability
|
|||||
| CVE-2023-34658 | 1 Telegram | 1 Telegram | 2024-11-27 | N/A | 5.3 MEDIUM |
|
Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController.
|
|||||
| CVE-2023-7013 | 1 Google | 1 Chrome | 2024-11-25 | N/A | 4.7 MEDIUM |
|
Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2024-39320 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
|
|||||
| CVE-2024-2383 | 1 Zenml | 1 Zenml | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.
|
|||||
| CVE-2024-20810 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 3.3 LOW |
|
Implicit intent hijacking vulnerability in Smart Suggestions prior to SMR Feb-2024 Release 1 allows local attackers to get sensitive information.
|
|||||
| CVE-2024-0669 | 1 Plone | 1 Plone | 2024-11-21 | N/A | 6.3 MEDIUM |
|
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element.
|
|||||
| CVE-2023-6867 | 2 Debian, Mozilla | 3 Debian Linux, Firefox, Firefox Esr | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox ESR < 115.6 and Firefox < 121.
|
|||||
| CVE-2023-6211 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A | 6.5 MEDIUM |
|
If an attacker needed a user to load an insecure http: page and knew that user had enabled HTTPS-only mode, the attacker could have tricked the user into clicking to grant an HTTPS-only exception if they could get the user to participate in a clicking game. This vulnerability affects Firefox < 120.
|
|||||
| CVE-2023-6206 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. It was possible to use this fact to surprise users by luring them to click where the permission grant button would be about to appear. This vulnerability affects Firefox < 120, Firefox ESR < 115.5.0, and Thunderbird < 115.5.
|
|||||
| CVE-2023-6093 | 1 Moxa | 2 Oncell G3150a-lte, Oncell G3150a-lte Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
|
A clickjacking vulnerability has been identified in OnCell G3150A-LTE Series firmware versions v1.3 and prior. This vulnerability is caused by incorrectly restricts frame objects, which can lead to user confusion about which interface the user is interacting with. This vulnerability may lead the attacker to trick the user into interacting with the application.
|
|||||
| CVE-2023-5721 | 2 Debian, Mozilla | 4 Debian Linux, Firefox, Firefox Esr and 1 more | 2024-11-21 | N/A | 4.3 MEDIUM |
|
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
|
|||||
| CVE-2023-5103 | 1 Sick | 2 Apu0200, Apu0200 Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Improper Restriction of Rendered UI Layers or Frames in RDT400 in SICK APU allows an unprivileged remote attacker to potentially reveal sensitive information via tricking a user into
clicking on an actionable item using an iframe.
|
|||||
| CVE-2023-4958 | 1 Redhat | 1 Advanced Cluster Security | 2024-11-21 | N/A | 6.1 MEDIUM |
|
In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.
|
|||||
| CVE-2023-4956 | 1 Redhat | 1 Quay | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.
|
|||||
| CVE-2023-4229 | 1 Moxa | 2 Iologik E4200, Iologik E4200 Firmware | 2024-11-21 | N/A | 4.3 MEDIUM |
|
A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, potentially exposing users to security risks. This vulnerability may allow attackers to trick users into interacting with malicious content, leading to unintended actions or unauthorized data disclosures.
|
|||||
| CVE-2023-47311 | 1 Spaceapplications | 1 Yacms | 2024-11-21 | N/A | 6.1 MEDIUM |
|
An issue in Yamcs 5.8.6 allows attackers to send aribitrary telelcommands in a Command Stack via Clickjacking.
|
|||||
| CVE-2023-45698 | 1 Hcltech | 1 Sametime Chat And Meetings | 2024-11-21 | N/A | 4.8 MEDIUM |
|
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.
|
|||||
| CVE-2023-42011 | 1 Ibm | 1 Sterling B2b Integrator | 2024-11-21 | N/A | 4.3 MEDIUM |
|
IBM Sterling B2B Integrator Standard Edition 6.1 and 6.2 does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. IBM X-Force ID: 265508.
|
|||||
| CVE-2023-41897 | 1 Home-assistant | 1 Home-assistant | 2024-11-21 | N/A | 8.8 HIGH |
|
Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicio ...
Show More |
|||||
| CVE-2023-3140 | 1 Knime | 1 Business Hub | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME
Business Hub before 1.4.0 has left users vulnerable to click
jacking. Clickjacking is an attack that occurs when an attacker uses a
transparent iframe in a window to trick a user into clicking on an
actionable item, such as a button or link, to another server in which
they have an identical webpage. The attacker essentially hijacks the
user activity intended for the original server and sends them to the
other server.
|
|||||
| CVE-2023-38873 | 1 Economizzer | 1 Economizzer | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
|
|||||
| CVE-2023-37455 | 1 Mozilla | 1 Firefox | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. This vulnerability affects Firefox for iOS < 115.
|
|||||