Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-1021
Total 213 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-3794 1 Pivotal Software 1 Cloud Foundry Uaa 2020-10-16 4.3 MEDIUM 5.4 MEDIUM
Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.
CVE-2019-7393 1 Ca 2 Risk Authentication, Strong Authentication 2020-10-06 4.0 MEDIUM 4.3 MEDIUM
A UI redress vulnerability in the administrative user interface of CA Technologies CA Strong Authentication 9.0.x, 8.2.x, 8.1.x, 8.0.x, 7.1.x and CA Risk Authentication 9.0.x, 8.2.x, 8.1.x, 8.0.x, 3.1.x may allow a remote attacker to gain sensitive information in some cases.
CVE-2020-4727 1 Ibm 1 Infosphere Information Server 2020-09-29 4.3 MEDIUM 6.1 MEDIUM
IBM InfoSphere Information Server 11.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.
CVE-2020-13119 1 Gogogate 2 Ismartgate Pro, Ismartgate Pro Firmware 2020-09-27 4.3 MEDIUM 8.1 HIGH
ismartgate PRO 1.5.9 is vulnerable to clickjacking.
CVE-2018-15423 1 Cisco 1 Hyperflex Hx Data Platform 2020-09-16 4.3 MEDIUM 4.7 MEDIUM
A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link.
CVE-2018-0355 1 Cisco 1 Unified Communications Manager 2020-09-04 4.3 MEDIUM 6.1 MEDIUM
A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761.
CVE-2020-7705 1 Mintegral 1 Mintegraladsdk 2020-09-02 5.8 MEDIUM 8.1 HIGH
This affects the package MintegralAdSDK from 0.0.0. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company, along with performing advertisement attribution fraud. Mintegral can remotely activate hooks on the UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters and NSURLProtocol methods along with anti-debug and proxy detection protection. If those hooks are active MintegralAdSDK sends obfuscated data about every opened URL in an application to their servers. Note that the malicious functionality is enabled even if the SDK was not enabled to serve ads.
CVE-2020-4165 2 Ibm, Linux 2 Security Guardium Insights, Linux Kernel 2020-09-02 3.5 LOW 5.4 MEDIUM
IBM Security Guardium Insights 2.0.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 174401.
CVE-2018-6909 1 Rainmachine 1 Rainmachine Web Application 2020-08-24 4.3 MEDIUM 6.5 MEDIUM
A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be used by a remote attacker for clickjacking, as demonstrated by triggering an API page request.
CVE-2018-7491 1 Prestashop 1 Prestashop 2020-08-24 5.0 MEDIUM 7.5 HIGH
In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors' values.
CVE-2019-9147 1 Mailvelope 1 Mailvelope 2020-08-24 4.3 MEDIUM 4.3 MEDIUM
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
CVE-2018-18496 2 Microsoft, Mozilla 2 Windows, Firefox 2020-08-24 6.8 MEDIUM 8.8 HIGH
When the RSS Feed preview about:feeds page is framed within another page, it can be used in concert with scripted content for a clickjacking attack that confuses users into downloading and executing an executable file from a temporary directory. *Note: This issue only affects Windows operating systems. Other operating systems are not affected.*. This vulnerability affects Firefox < 64.
CVE-2018-1803 1 Ibm 1 Security Access Manager 2020-08-24 4.3 MEDIUM 6.1 MEDIUM
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 149702.
CVE-2019-12880 1 Bcnquark 1 Quarking Password Manager 2020-08-24 4.3 MEDIUM 4.3 MEDIUM
BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking vulnerability caused by allowing * within web_accessible_resources. An attacker can take advantage of this vulnerability and cause significant harm.
CVE-2019-5767 4 Debian, Fedoraproject, Google and 1 more 7 Debian Linux, Fedora, Android and 4 more 2020-08-24 4.3 MEDIUM 6.5 MEDIUM
Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted APK.
CVE-2019-5243 1 Huawei 2 Hg255s, Hg255s Firmware 2020-08-24 4.3 MEDIUM 4.3 MEDIUM
There is a Clickjacking vulnerability in Huawei HG255s product. An attacker may trick user to click a link and affect the integrity of a device by exploiting this vulnerability.
CVE-2018-6178 3 Debian, Google, Redhat 5 Debian Linux, Chrome, Enterprise Linux Desktop and 2 more 2020-08-24 4.3 MEDIUM 4.3 MEDIUM
Eliding from the wrong side in an infobar in DevTools in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to Hide Chrome Security UI via a crafted Chrome Extension.
CVE-2018-1432 1 Ibm 1 Infosphere Information Server 2020-08-24 4.3 MEDIUM 6.1 MEDIUM
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to cross-frame scripting which is a vulnerability that allows an attacker to load Information Server components inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. IBM X-Force ID: 139360.
CVE-2018-17192 1 Apache 1 Nifi 2020-08-24 4.3 MEDIUM 6.5 MEDIUM
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix to consistently apply the security headers was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
CVE-2018-16172 1 Cybozu 1 Remote Service Manager 2020-08-24 5.8 MEDIUM 6.5 MEDIUM
Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate.