Total
364 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-41897 | 1 Home-assistant | 1 Home-assistant | 2024-11-21 | 8.8 High |
| Home assistant is an open source home automation. Home Assistant server does not set any HTTP security headers, including the X-Frame-Options header, which specifies whether the web page is allowed to be framed. The omission of this and correlating headers facilitates covert clickjacking attacks and alternative exploit opportunities, such as the vector described in this security advisory. This fault incurs major risk, considering the ability to trick users into installing an external and malicious add-on with minimal user interaction, which would enable Remote Code Execution (RCE) within the Home Assistant application. This issue has been addressed in version 2023.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-38873 | 1 Economizzer | 1 Economizzer | 2024-11-21 | 6.5 Medium |
| The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. | ||||
| CVE-2023-37455 | 1 Mozilla | 1 Firefox | 2024-11-21 | 5.4 Medium |
| The permission request prompt from the site in the background tab was overlaid on top of the site in the foreground tab. This vulnerability affects Firefox for iOS < 115. | ||||
| CVE-2023-36920 | 1 Sap | 4 Enable Now Enable Now Consump Del, Enable Now Wpb Manager, Enable Now Wpb Manager Ce and 1 more | 2024-11-21 | 6.1 Medium |
| In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information. | ||||
| CVE-2023-30961 | 1 Palantir | 2 Gotham-fe-bundle, Titanium-browser-app-bundle | 2024-11-21 | 6.5 Medium |
| Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link. | ||||
| CVE-2023-2265 | 1 Selinc | 2 Sel-411l, Sel-411l Firmware | 2024-11-21 | 4.3 Medium |
| AnĀ Improper Restriction of Rendered UI Layers or Frames in the Schweitzer Engineering Laboratories SEL-411L could allow an unauthenticated attacker to perform clickjacking based attacks against an authenticated and authorized user. See product Instruction Manual Appendix A dated 20230830 for more details. | ||||
| CVE-2023-23126 | 1 Connectwise | 1 Automate | 2024-11-21 | 6.1 Medium |
| Connectwise Automate 2022.11 is vulnerable to Clickjacking. The login screen can be iframed and used to manipulate users to perform unintended actions. NOTE: the vendor's position is that a Content-Security-Policy HTTP response header is present to block this attack. | ||||
| CVE-2023-0654 | 1 Cloudflare | 1 Warp | 2024-11-21 | 3.9 Low |
| Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on a victim's device, the attacker would be able to trick the user into believing that the app shown on the screen was the WARP client when in reality it was the attacker's app. | ||||
| CVE-2022-3167 | 1 Ikus-soft | 1 Rdiffweb | 2024-11-21 | 8.8 High |
| Improper Restriction of Rendered UI Layers or Frames in GitHub repository ikus060/rdiffweb prior to 2.4.1. | ||||
| CVE-2022-3032 | 2 Mozilla, Redhat | 4 Thunderbird, Enterprise Linux, Rhel E4s and 1 more | 2024-11-21 | 6.5 Medium |
| When receiving an HTML email that contained an <code>iframe</code> element, which used a <code>srcdoc</code> attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed. This vulnerability affects Thunderbird < 102.2.1 and Thunderbird < 91.13.1. | ||||
| CVE-2022-36736 | 1 Jitsi | 1 Jitsi | 2024-11-21 | 6.1 Medium |
| Jitsi-2.10.5550 was discovered to contain a vulnerability in its web UI which allows attackers to perform a clickjacking attack via a crafted HTTP request. NOTE: this is disputed by the vendor | ||||
| CVE-2022-34162 | 1 Ibm | 1 Cics Tx | 2024-11-21 | 6.1 Medium |
| IBM CICS TX 11.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 229332. | ||||
| CVE-2022-33727 | 1 Google | 1 Android | 2024-11-21 | 4.8 Medium |
| A vulnerable code in onCreate of SecDevicePickerDialog prior to SMR Aug-2022 Release 1, allows attackers to trick the user to select an unwanted bluetooth device via tapjacking/overlay attack. | ||||
| CVE-2022-33723 | 1 Google | 1 Android | 2024-11-21 | 4.8 Medium |
| A vulnerable code in onCreate of BluetoothScanDialog prior to SMR Aug-2022 Release 1, allows attackers to trick the user to select an unwanted bluetooth device via tapjacking/overlay attack. | ||||
| CVE-2022-2965 | 1 Notrinos | 1 Notrinoserp | 2024-11-21 | 4.3 Medium |
| Improper Restriction of Rendered UI Layers or Frames in GitHub repository notrinos/notrinoserp prior to 0.7. | ||||
| CVE-2022-2734 | 1 Open-emr | 1 Openemr | 2024-11-21 | 5.4 Medium |
| Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1. | ||||
| CVE-2022-28889 | 1 Apache | 1 Druid | 2024-11-21 | 4.3 Medium |
| In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header. | ||||
| CVE-2022-28649 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 4.6 Medium |
| In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description | ||||
| CVE-2022-27220 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 6220. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors. | ||||
| CVE-2022-27219 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 443. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors. | ||||