Total
339 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32349 | 1 Google | 1 Android | 2025-09-08 | N/A | 7.8 HIGH |
| In multiple locations, there is a possible privilege escalation due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-32350 | 1 Google | 1 Android | 2025-09-08 | N/A | 7.8 HIGH |
| In maybeShowDialog of ControlsSettingsDialogManager.kt, there is a possible overlay of the ControlsSettingsDialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-22417 | 1 Google | 1 Android | 2025-09-04 | N/A | 7.3 HIGH |
| In finishTransition of Transition.java, there is a possible way to bypass touch filtering restrictions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-22419 | 1 Google | 1 Android | 2025-09-04 | N/A | 7.3 HIGH |
| In multiple locations, there is a possible way to mislead the user into enabling malicious phone calls forwarding due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-41000 | 2025-09-04 | N/A | N/A | ||
| Cross-Frame Scripting (XFS) vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the user, so it is perceived as a minor threat to web application security. This vulnerability only works in older browsers. | |||||
| CVE-2024-13066 | 2025-09-04 | N/A | 4.3 MEDIUM | ||
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Akinsoft LimonDesk allows iFrame Overlay, CAPEC - 103 - Clickjacking.This issue affects LimonDesk: from s1.02.14 before v1.02.17. | |||||
| CVE-2025-1494 | 1 Ibm | 1 Cognos Command Center | 2025-09-02 | N/A | 6.1 MEDIUM |
| IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | |||||
| CVE-2024-3911 | 2025-08-27 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. | |||||
| CVE-2025-54139 | 1 Psu | 2 Haxcms-nodejs, Haxcms-php | 2025-08-22 | N/A | 4.3 MEDIUM |
| HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8. | |||||
| CVE-2025-53096 | 1 Lizardbyte | 1 Sunshine | 2025-08-22 | N/A | 5.4 MEDIUM |
| Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510. | |||||
| CVE-2025-9108 | 2025-08-18 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of rendered ui layers. It is possible to launch the attack remotely. | |||||
| CVE-2025-0362 | 1 Gitlab | 1 Gitlab | 2025-08-07 | N/A | 6.4 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf. | |||||
| CVE-2025-49139 | 1 Psu | 2 Haxcms-nodejs, Haxcms-php | 2025-07-30 | N/A | 5.3 MEDIUM |
| HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue. | |||||
| CVE-2025-54527 | 2025-07-29 | N/A | 6.1 MEDIUM | ||
| In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions | |||||
| CVE-2025-7903 | 2025-07-22 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rendered ui layers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6983 | 2025-07-17 | N/A | N/A | ||
| A Clickjacking vulnerability in TP-Link Archer C1200 web management page allows an attacker to trick users into performing unintended actions via rendered UI layers or frames.This issue affects Archer C1200 <= 1.1.5. | |||||
| CVE-2025-6557 | 2 Google, Microsoft | 2 Chrome, Windows | 2025-07-15 | N/A | 5.4 MEDIUM |
| Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | |||||
| CVE-2025-6434 | 1 Mozilla | 1 Firefox | 2025-07-14 | N/A | 4.3 MEDIUM |
| The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140. | |||||
| CVE-2025-27455 | 2025-07-03 | N/A | 4.3 MEDIUM | ||
| The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects. | |||||
| CVE-2025-36027 | 1 Ibm | 2 Datacap, Datacap Navigator | 2025-07-01 | N/A | 5.4 MEDIUM |
| IBM Datacap 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | |||||