CWE-1021— Improper Restriction of Rendered UI Layers or Frames (Clickjacking)
374 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1021page 2 of 8
- CVE-2019-5243MEDIUMCVSS 4.3EG 4.32019-06-10
There is a Clickjacking vulnerability in Huawei HG255s product. An attacker may trick user to click a link and affect the integrity of a device by exploiting this vulnerability.
- CVE-2019-5767MEDIUMCVSS 6.5EG 6.52019-02-19
Insufficient protection of permission UI in WebAPKs in Google Chrome on Android prior to 72.0.3626.81 allowed an attacker who convinced the user to install a malicious application to access privacy/security sensitive web APIs via a crafted…
- CVE-2019-5861MEDIUMCVSS 4.3EG 4.32019-11-25
Insufficient data validation in Blink in Google Chrome prior to 76.0.3809.87 allowed a remote attacker to bypass anti-clickjacking policy via a crafted HTML page.
- CVE-2019-7393MEDIUMCVSS 4.3EG 4.32019-05-28
A UI redress vulnerability in the administrative user interface of CA Technologies CA Strong Authentication 9.0.x, 8.2.x, 8.1.x, 8.0.x, 7.1.x and CA Risk Authentication 9.0.x, 8.2.x, 8.1.x, 8.0.x, 3.1.x may allow a remote attacker to gain …
- CVE-2019-8771MEDIUMCVSS 6.1EG 6.12020-10-27
This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 13.0.1, iOS 13. Maliciously crafted web content may violate iframe sandboxing policy.
- CVE-2019-9147MEDIUMCVSS 4.3EG 4.32019-07-09
Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_…
- CVE-2020-0014MEDIUMCVSS 5.5EG 5.52020-02-13
It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable. This could lead to a local escalation of privilege with no additional execution privileges needed. User action is needed f…
- CVE-2020-0051HIGHCVSS 7.8EG 7.82020-03-10
In onCreate of SettingsHomepageActivity, there is a possible tapjacking attack. This could lead to local escalation of privilege in Settings with no additional execution privileges needed. User interaction is needed for exploitation.Produc…
- CVE-2020-0366HIGHCVSS 7.8EG 7.82020-09-17
In PackageInstaller, there is a possible permissions bypass due to a tapjacking vulnerability. This could lead to local escalation of privilege using an app set as the default Assist app with User execution privileges needed. User interact…
- CVE-2020-0386MEDIUMCVSS 5.5EG 5.52020-09-17
In onCreate of RequestPermissionActivity.java, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege allowing an attacker to set Bluetooth discoverability with User executi…
- CVE-2020-0387HIGHCVSS 7.8EG 7.82020-09-17
In manifest files of the SmartSpace package, there is a possible tapjacking vector due to a missing permission check. This could lead to local escalation of privilege and account hijacking with no additional execution privileges needed. Us…
- CVE-2020-0394HIGHCVSS 7.8EG 7.82020-09-17
In onCreate of BluetoothPairingDialog.java, there is a possible tapjacking vector due to an insecure default value. This could lead to local escalation of privilege and untrusted devices accessing contact lists with no additional execution…
- CVE-2020-10743MEDIUMCVSS 4.3EG 4.32021-06-02
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary…
- CVE-2020-10951MEDIUMCVSS 4.7EG 4.72020-04-15
Western Digital My Cloud Home and ibi devices before 2.2.0 allow clickjacking on sign-in pages.
- CVE-2020-13119HIGHCVSS 8.1EG 8.12020-09-24
ismartgate PRO 1.5.9 is vulnerable to clickjacking.
- CVE-2020-13174MEDIUMCVSS 6.1EG 6.12020-08-11
The web server in the Teradici Managament console versions 20.04 and 20.01.1 did not properly set the X-Frame-Options HTTP header, which could allow an attacker to trick a user into clicking a malicious link via clickjacking.
- CVE-2020-15648MEDIUMCVSS 6.5EG 6.52020-08-10
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
- CVE-2020-15793MEDIUMCVSS 5.4EG 5.42020-10-15
A vulnerability has been identified in Desigo Insight (All versions). The device does not properly set the X-Frame-Options HTTP Header which makes it vulnerable to Clickjacking attacks. This could allow an unauthenticated attacker to retri…
- CVE-2020-16031MEDIUMCVSS 4.3EG 4.32021-01-08
Insufficient data validation in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- CVE-2020-16032MEDIUMCVSS 4.3EG 4.32021-01-08
Insufficient data validation in sharing in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
- CVE-2020-16033MEDIUMCVSS 4.3EG 4.32021-01-08
Inappropriate implementation in WebUSB in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof security UI via a crafted HTML page.
- CVE-2020-1728MEDIUMCVSS 4.8EG 4.82020-04-06
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, ye…
- CVE-2020-2105MEDIUMCVSS 5.4EG 5.42020-01-29
REST API endpoints in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier were vulnerable to clickjacking attacks.
- CVE-2020-24711MEDIUMCVSS 6.5EG 6.52020-10-28
The Reset button on the Account Settings page in Gophish before 0.11.0 allows attackers to cause a denial of service via a clickjacking attack
- CVE-2020-26953MEDIUMCVSS 4.3EG 4.32020-12-09
It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78…
- CVE-2020-26962MEDIUMCVSS 6.1EG 6.12020-12-09
Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolat…
- CVE-2020-27059HIGHCVSS 7.8EG 7.82021-01-11
In onAuthenticated of AuthenticationClient.java, there is a possible tapjacking attack when requesting the user's fingerprint due to an overlaid window. This could lead to local escalation of privilege with no additional execution privileg…
- CVE-2020-28218MEDIUMCVSS 6.5EG 6.52020-12-11
A CWE-1021: Improper Restriction of Rendered UI Layers or Frames vulnerability exists in Easergy T300 (firmware 2.7 and older), that would allow an attacker to trick a user into initiating an unintended action.
- CVE-2020-35735MEDIUMCVSS 4.7EG 4.72020-12-29
Vidyo 02-09-/D allows clickjacking via the portal/ URI.
- CVE-2020-4165MEDIUMCVSS 5.4EG 5.42020-08-24
IBM Security Guardium Insights 2.0.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's…
- CVE-2020-4195MEDIUMCVSS 5.4EG 5.42020-05-12
IBM API Connect V2018.4.1.0 through 2018.4.1.10 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack t…
- CVE-2020-4322MEDIUMCVSS 4.3EG 4.32020-06-24
IBM Security Secret Server 10.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's clic…
- CVE-2020-4406MEDIUMCVSS 5.4EG 5.42020-06-15
IBM Spectrum Protect Client 8.1.7.0 through 8.1.9.1 (Linux and Windows), 8.1.9.0 trough 8.1.9.1 (AIX) and IBM Spectrum Protect for Space Management 8.1.7.0 through 8.1.9.1 (Linux), 8.1.9.0 through 8.1.9.1 (AIX) web user interfaces could al…
- CVE-2020-4547MEDIUMCVSS 5.4EG 5.42021-01-27
IBM Jazz Foundation products could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click a…
- CVE-2020-4644MEDIUMCVSS 5.4EG 5.42020-07-29
IBM Planning Analytics Local 2.0.0 through 2.0.9.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijac…
- CVE-2020-4727MEDIUMCVSS 6.1EG 6.12020-09-25
IBM InfoSphere Information Server 11.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim…
- CVE-2020-4785MEDIUMCVSS 5.4EG 5.42020-11-03
IBM App Connect Enterprise Certified Container 1.0.0, 1.0.1, 1.0.2, 1.0.3, and 1.0.4 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could e…
- CVE-2020-5020MEDIUMCVSS 6.1EG 6.12021-01-08
IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack t…
- CVE-2020-5679MEDIUMCVSS 6.1EG 6.12020-12-03
Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may b…
- CVE-2020-6547MEDIUMCVSS 6.5EG 6.52020-09-21
Incorrect security UI in media in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially obtain sensitive information via a crafted HTML page.
- CVE-2020-6827MEDIUMCVSS 4.7EG 4.72020-04-24
When following a link that opened an intent://-schemed URL, causing a custom tab to be opened, Firefox for Android could be tricked into displaying the incorrect URI. <br> *Note: This issue only affects Firefox for Android. Other operating…
- CVE-2020-7371MEDIUMCVSS 4.3EG 4.32020-10-20
User Interface (UI) Misrepresentation of Critical Information vulnerability in the address bar of the Yandex Browser allows an attacker to obfuscate the true source of data as presented in the browser. This issue affects the RITS Browser v…
- CVE-2020-7705HIGHCVSS 7.1EG 8.12020-08-24
This affects the package MintegralAdSDK from 0.0.0. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company, along with performing advertisement attributi…
- CVE-2020-9444MEDIUMCVSS 6.1EG 6.12020-04-20
Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality.
- CVE-2020-9517MEDIUMCVSS 5.4EG 5.42020-03-09
There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to perform UI redress atta…
- CVE-2020-9942MEDIUMCVSS 4.3EG 4.32020-12-08
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.0.1, Safari 13.1.2. Visiting a malicious website may lead to address bar spoofing.
- CVE-2020-9945MEDIUMCVSS 4.3EG 4.32020-12-08
A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, Safari 14.0.1. Visiting a malicious website may lead to address bar spoofing.
- CVE-2020-9987MEDIUMCVSS 4.3EG 4.32020-12-08
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in Safari 14.0. Visiting a malicious website may lead to address bar spoofing.
- CVE-2020-9993MEDIUMCVSS 4.3EG 4.32020-12-08
The issue was addressed with improved UI handling. This issue is fixed in watchOS 7.0, Safari 14.0, iOS 14.0 and iPadOS 14.0. Visiting a malicious website may lead to address bar spoofing.
- CVE-2021-0302HIGHCVSS 7.8EG 7.82021-02-10
In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for ex…
Map vulnerabilities like CWE-1021 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1021 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →