Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
                
            References
                    Configurations
                    History
                    No history.
Information
                Published : 2019-07-09 21:15
Updated : 2024-11-21 04:51
NVD link : CVE-2019-9147
Mitre link : CVE-2019-9147
CVE.ORG link : CVE-2019-9147
JSON object : View
Products Affected
                mailvelope
- mailvelope
CWE
                
                    
                        
                        CWE-1021
                        
            Improper Restriction of Rendered UI Layers or Frames
