CWE-1021— Improper Restriction of Rendered UI Layers or Frames (Clickjacking)
374 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1021page 1 of 8
- CVE-2005-2407NONECVSS 0.0EG 0.02005-08-01
A design error in Opera 8.01 and earlier allows user-assisted attackers to execute arbitrary code by overlaying a malicious new window above a file download dialog box, then tricking the user into double-clicking on the "Run" button, aka "…
- CVE-2008-2716NONECVSS 0.0EG 0.02008-06-16
Unspecified vulnerability in Opera before 9.5 allows remote attackers to spoof the contents of trusted frames on the same parent page by modifying the location, which can facilitate phishing attacks.
- CVE-2011-1244NONECVSS 0.0EG 0.02011-04-13
Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag I…
- CVE-2013-2675MEDIUMCVSS 6.5EG 6.52020-02-05
Brother MFC-9970CDW 1.10 devices with Firmware L contain a Frameable response (Clickjacking) vulnerability which could allow remote attackers to obtain sensitive information.
- CVE-2013-2682MEDIUMCVSS 4.3EG 4.32020-02-05
Cisco Linksys E4200 1.0.05 Build 7 devices contain a Clickjacking Vulnerability which allows remote attackers to obtain sensitive information.
- CVE-2013-5594MEDIUMCVSS 4.3EG 4.32020-02-18
Mozilla Firefox before 25 allows modification of anonymous content of pluginProblem.xml binding
- CVE-2013-5614NONECVSS 0.0EG 0.02013-12-11
Mozilla Firefox before 26.0 and SeaMonkey before 2.23 do not properly consider the sandbox attribute of an IFRAME element during processing of a contained OBJECT element, which allows remote attackers to bypass intended sandbox restriction…
- CVE-2013-6772MEDIUMCVSS 4.3EG 4.32020-01-23
Splunk before 5.0.4 lacks X-Frame-Options which can allow Clickjacking
- CVE-2014-1480NONECVSS 0.0EG 0.02014-02-06
The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended lau…
- CVE-2014-1483NONECVSS 0.0EG 0.02014-02-06
Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the documen…
- CVE-2015-5686HIGHCVSS 8.8EG 8.82020-02-27
Parts of the Puppet Enterprise Console 3.x were found to be susceptible to clickjacking and CSRF (Cross-Site Request Forgery) attacks. This would allow an attacker to redirect user input to an untrusted site or hijack a user session.
- CVE-2016-5710MEDIUMCVSS 4.6EG 4.62020-02-11
NetApp Snap Creator Framework before 4.3P1 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors.
- CVE-2017-16775HIGHCVSS 7.1EG 6.12019-04-01
Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
- CVE-2017-20041MEDIUMCVSS 5.4EG 6.52022-06-13
A vulnerability was found in Ucweb UC Browser 11.2.5.932. It has been classified as critical. Affected is an unknown function of the component HTML Handler. The manipulation of the argument title leads to improper restriction of rendered u…
- CVE-2018-0355MEDIUMCVSS 6.1EG 6.12018-06-07
A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vu…
- CVE-2018-12576MEDIUMCVSS 4.3EG 4.32018-07-02
TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow clickjacking.
- CVE-2018-1432MEDIUMCVSS 6.1EG 6.12018-06-05
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to cross-frame scripting which is a vulnerability that allows an attacker to load Information Server components inside an HTML iframe tag on a malicious page. The at…
- CVE-2018-15423MEDIUMCVSS 4.7EG 4.72018-10-05
A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame da…
- CVE-2018-16172MEDIUMCVSS 6.5EG 6.52019-01-09
Improper countermeasure against clickjacking attack in client certificates management screen was discovered in Cybozu Remote Service 3.0.0 to 3.1.8, that allows remote attackers to trick a user to delete the registered client certificate.
- CVE-2018-17192MEDIUMCVSS 6.5EG 6.52018-12-19
The X-Frame-Options headers were applied inconsistently on some HTTP responses, resulting in duplicate or missing security headers. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. Mitigation: The fix…
- CVE-2018-1803MEDIUMCVSS 6.1EG 6.12018-12-13
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could …
- CVE-2018-18496HIGHCVSS 8.8EG 8.82019-02-28
When the RSS Feed preview about:feeds page is framed within another page, it can be used in concert with scripted content for a clickjacking attack that confuses users into downloading and executing an executable file from a temporary dire…
- CVE-2018-1853MEDIUMCVSS 6.1EG 6.12019-04-08
IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerabili…
- CVE-2018-19957MEDIUMCVSS 6.1EG 6.12021-09-10
A vulnerability involving insufficient HTTP security headers has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. This vulnerability allows remote attackers to launch privacy and security attacks. We have already fix…
- CVE-2018-6178MEDIUMCVSS 4.3EG 4.32019-01-09
Eliding from the wrong side in an infobar in DevTools in Google Chrome prior to 68.0.3440.75 allowed an attacker who convinced a user to install a malicious extension to Hide Chrome Security UI via a crafted Chrome Extension.
- CVE-2018-6909MEDIUMCVSS 6.5EG 6.52018-11-01
A missing X-Frame-Options header in the Green Electronics RainMachine Mini-8 (2nd Generation) and Touch HD 12 web application could be used by a remote attacker for clickjacking, as demonstrated by triggering an API page request.
- CVE-2018-7491HIGHCVSS 7.5EG 7.52018-02-26
In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Fr…
- CVE-2018-9458HIGHCVSS 7.8EG 7.82018-11-06
In computeFocusedWindow of RootWindowContainer.java, and related functions, there is possible interception of keypresses due to focus being on the wrong window. This could lead to local escalation of privilege revealing the user's keypress…
- CVE-2018-9524HIGHCVSS 7.8EG 7.82018-11-14
In functionality implemented in System UI, there are insufficient protections implemented around overlay windows. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed f…
- CVE-2019-0305MEDIUMCVSS 4.3EG 4.32019-06-12
Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another app…
- CVE-2019-12880MEDIUMCVSS 4.3EG 4.32019-06-24
BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking vulnerability caused by allowing * within web_accessible_resources. An attacker can take advantage of this vulnerability and cause significant harm.
- CVE-2019-13924MEDIUMCVSS 5.4EG 5.42020-02-11
A vulnerability has been identified in SCALANCE S602 (All versions < V4.1), SCALANCE S612 (All versions < V4.1), SCALANCE S623 (All versions < V4.1), SCALANCE S627-2M (All versions < V4.1), SCALANCE X-200 switch family (incl. SIPLUS NET va…
- CVE-2019-15930MEDIUMCVSS 4.3EG 4.32019-12-12
Intesync Solismed 3.3sp allows Clickjacking.
- CVE-2019-16175MEDIUMCVSS 4.3EG 4.32019-09-09
A clickjacking vulnerability was found in Limesurvey before 3.17.14.
- CVE-2019-16371HIGHCVSS 8.2EG 8.22019-09-16
LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted web site that captures the credentials for a victim's account on a previously visited web site, because do_popupregister can be bypassed via clickjacking.
- CVE-2019-17131MEDIUMCVSS 4.3EG 4.32019-10-04
vBulletin before 5.5.4 allows clickjacking.
- CVE-2019-19001MEDIUMCVSS 6.5EG 6.52020-04-02
For ABB eSOMS versions 4.0 to 6.0.2, the X-Frame-Options header is not configured in HTTP response. This can potentially allow 'ClickJacking' attacks where an attacker can frame parts of the application on a malicious web site, revealing s…
- CVE-2019-1975MEDIUMCVSS 6.1EG 6.12019-09-18
A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack on an affected device. This vulnerability is due to insufficient HTML if…
- CVE-2019-2125HIGHCVSS 7.3EG 7.32019-08-20
In ChangeDefaultDialerDialog.java, there is a possible escalation of privilege due to an overlay attack. This could lead to local escalation of privilege, granting privileges to a local app without the user's informed consent, with no addi…
- CVE-2019-3639HIGHCVSS 7.1EG 7.12019-08-14
Clickjack vulnerability in Adminstrator web console in McAfee Web Gateway (MWG) 7.8.2.x prior to 7.8.2.12 allows remote attackers to conduct clickjacking attacks via a crafted web page that contains an iframe via does not send an X-Frame-O…
- CVE-2019-3794MEDIUMCVSS 5.4EG 5.42019-07-18
Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.
- CVE-2019-4058MEDIUMCVSS 6.5EG 6.52019-05-20
IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to manipulate the UI into exposing interface elements and information normally restricted to administrators. IBM X-Force ID: 156570.
- CVE-2019-4086MEDIUMCVSS 6.1EG 6.12019-09-17
IBM Cloud Application Performance Management 8.1.4 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijac…
- CVE-2019-4109MEDIUMCVSS 6.1EG 6.12019-09-30
IBM WebSphere eXtreme Scale 8.6 Admin Console could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the…
- CVE-2019-4215MEDIUMCVSS 6.1EG 6.12019-11-22
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the …
- CVE-2019-4217MEDIUMCVSS 6.1EG 6.12019-06-06
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerabili…
- CVE-2019-4285MEDIUMCVSS 5.4EG 5.42019-07-30
IBM WebSphere Application Server - Liberty Admin Center could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP …
- CVE-2019-4323MEDIUMCVSS 4.3EG 4.32020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
- CVE-2019-4548MEDIUMCVSS 6.1EG 6.12020-02-04
IBM Security Directory Server 6.4.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's …
- CVE-2019-4742MEDIUMCVSS 6.1EG 6.12019-12-20
IBM Financial Transaction Manager 3.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim'…
Map vulnerabilities like CWE-1021 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1021 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →