CWE-1021— Improper Restriction of Rendered UI Layers or Frames (Clickjacking)

A select option could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. *This issue only affects Android versions of Firefox.* This vulnerability affects Firefox < 129.

Multiple prompts and panels from both Firefox and the Android OS could be used to obscure the notification announcing the transition to fullscreen mode after the fix for CVE-2023-6870 in Firefox 121. This could lead to spoofing the browser…

A missing delay in directory upload UI could have made it possible for an attacker to trick a user into granting permission via clickjacking. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbi…

An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing …

Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, …

The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site …

Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium)

ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.

IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the…

Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.

Inappropriate implementation in Browser UI in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

Inappropriate implementation in Permission Prompts in Google Chrome prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security …

A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*.…

In finishTransition of Transition.java, there is a possible way to bypass touch filtering restrictions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. Use…

In multiple locations, there is a possible way to mislead the user into enabling malicious phone calls forwarding due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. U…

Improper restriction of rendered UI layers or frames issue exists in HMI ViewJet C-more series, which may allow a remote unauthenticated attacker to trick the product user to perform operations on the product's web pages.

SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header i…

Improper restriction of rendered UI layers or frames issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If a user views and clicks on the content on the malicious page while logged in, unintended operations may be performed.

The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing conf…

Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking.

Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing …

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allo…

In multiple locations, there is a possible privilege escalation due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploit…

In maybeShowDialog of ControlsSettingsDialogManager.kt, there is a possible overlay of the ControlsSettingsDialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges …

EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups…

IBM Datacap 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victi…

IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim.

Cross-Frame Scripting (XFS) vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends e…

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web…

In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interactio…

In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User …

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a t…

Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The…

The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal c…

HCL MyXalytics is affected by the use of vulnerable/outdated versions which can expose the application to known security risks that could be exploited.

A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerab…

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a …

HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers …

In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements i…

CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on th…

Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages.

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection (confirmation dialog), it is possible to trick the admin into clicking the Promote button in another user's m…

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the applica…

Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function