Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-1021
Total 213 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-27219 1 Siemens 1 Sinema Remote Connect Server 2022-06-23 4.3 MEDIUM 4.3 MEDIUM
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 443. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors.
CVE-2017-20041 1 Ucweb 1 Uc Browser 2022-06-22 4.3 MEDIUM 6.5 MEDIUM
A vulnerability was found in Ucweb UC Browser 11.2.5.932. It has been classified as critical. Affected is an unknown function of the component HTML Handler. The manipulation of the argument title leads to improper restriction of rendered ui layers (URL). It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2020-9942 1 Apple 2 Mac Os X, Safari 2022-06-02 4.3 MEDIUM 4.3 MEDIUM
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, Safari 13.1.2. Visiting a malicious website may lead to address bar spoofing.
CVE-2020-9945 1 Apple 2 Mac Os X, Safari 2022-06-02 4.3 MEDIUM 4.3 MEDIUM
A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, Safari 14.0.1. Visiting a malicious website may lead to address bar spoofing.
CVE-2021-46708 1 Smartbear 1 Swagger Ui 2022-06-01 4.3 MEDIUM 6.1 MEDIUM
The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.
CVE-2022-1803 1 Trudesk Project 1 Trudesk 2022-06-01 4.9 MEDIUM 6.9 MEDIUM
Improper Restriction of Rendered UI Layers or Frames in GitHub repository polonel/trudesk prior to 1.2.2.
CVE-2021-23976 1 Mozilla 1 Firefox 2022-05-27 5.8 MEDIUM 8.1 HIGH
When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 86.
CVE-2021-27773 1 Hcltech 1 Sametime 2022-05-24 4.3 MEDIUM 4.3 MEDIUM
This vulnerability allows users to execute a clickjacking attack in the meeting's chat.
CVE-2021-39796 1 Google 1 Android 2022-04-20 6.9 MEDIUM 7.3 HIGH
In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there is a possible way to trick victim to install harmful app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-205595291
CVE-2022-28649 1 Jetbrains 1 Youtrack 2022-04-18 3.5 LOW 5.4 MEDIUM
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
CVE-2021-44683 1 Duckduckgo 1 Duckduckgo 2022-03-31 5.8 MEDIUM 8.2 HIGH
The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site.
CVE-2021-37971 3 Debian, Fedoraproject, Google 3 Debian Linux, Fedora, Chrome 2022-03-30 4.3 MEDIUM 4.3 MEDIUM
Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
CVE-2021-39692 1 Google 1 Android 2022-03-23 9.3 HIGH 7.8 HIGH
In onCreate of SetupLayoutActivity.java, there is a possible way to setup a work profile bypassing user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-209611539
CVE-2021-39702 1 Google 1 Android 2022-03-23 9.3 HIGH 7.8 HIGH
In onCreate of RequestManageCredentials.java, there is a possible way for a third party app to install certificates without user approval due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-205150380
CVE-2022-24733 1 Sylius 1 Sylius 2022-03-22 5.8 MEDIUM 6.1 MEDIUM
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app.
CVE-2021-27414 1 Abb 1 Ellipse Enterprise Asset Management 2022-03-18 4.3 MEDIUM 6.1 MEDIUM
An attacker could trick a user of Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) versions prior to and including 9.0.25 into visiting a malicious website posing as a login page for the Ellipse application and gather authentication credentials.
CVE-2021-39038 1 Ibm 1 Websphere Application Server 2022-03-03 3.5 LOW 5.4 MEDIUM
IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968.
CVE-2008-2716 1 Opera 1 Opera Browser 2022-03-01 5.0 MEDIUM N/A
Unspecified vulnerability in Opera before 9.5 allows remote attackers to spoof the contents of trusted frames on the same parent page by modifying the location, which can facilitate phishing attacks.
CVE-2011-1244 1 Microsoft 6 Internet Explorer, Windows 7, Windows Server 2003 and 3 more 2022-02-28 5.8 MEDIUM N/A
Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag Information Disclosure Vulnerability."
CVE-2005-2407 1 Opera 1 Opera Browser 2022-02-28 5.1 MEDIUM N/A
A design error in Opera 8.01 and earlier allows user-assisted attackers to execute arbitrary code by overlaying a malicious new window above a file download dialog box, then tricking the user into double-clicking on the "Run" button, aka "link hijacking".