CWE-1021
Improper Restriction of Rendered UI Layers or Frames
BaseIncomplete
Description
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654
CVEs mapped to this weakness (49)
page 1 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-2496 | Cri | 0.64 | 9.8 | 0.00 | Jun 13, 2016 | The Framework UI permission-dialog implementation in Android 6.x before 2016-06-01 allows attackers to conduct tapjacking attacks and access arbitrary private-storage files by creating a partially overlapping window, aka internal bug 26677796. | |
| CVE-2025-14812 | Hig | 0.49 | 7.5 | 0.00 | Dec 19, 2025 | ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | |
| CVE-2026-2378 | Hig | 0.48 | 7.4 | 0.00 | Mar 20, 2026 | ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | |
| CVE-2025-15032 | Hig | 0.48 | 7.4 | 0.00 | Jan 16, 2026 | Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | |
| CVE-2025-14809 | Hig | 0.48 | 7.4 | 0.00 | Dec 19, 2025 | ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | |
| CVE-2025-13132 | Hig | 0.48 | 7.4 | 0.00 | Nov 21, 2025 | This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | |
| CVE-2025-1940 | Hig | 0.46 | 7.1 | 0.00 | Mar 4, 2025 | A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox 136. | |
| CVE-2025-24874 | Med | 0.44 | 6.8 | 0.00 | Feb 11, 2025 | SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information. | |
| CVE-2025-25213 | Med | 0.42 | 6.5 | 0.00 | Apr 9, 2025 | Improper restriction of rendered UI layers or frames issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If a user views and clicks on the content on the malicious page while logged in, unintended operations may be performed. | |
| CVE-2024-3911 | Med | 0.42 | 6.5 | 0.00 | Apr 23, 2024 | An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. | |
| CVE-2017-5697 | Med | 0.42 | 6.5 | 0.00 | Jun 14, 2017 | Insufficient clickjacking protection in the Web User Interface of Intel AMT firmware versions before 9.1.40.1000, 9.5.60.1952, 10.0.50.1004, 11.0.0.1205, and 11.6.25.1129 potentially allowing a remote attacker to hijack users web clicks via attacker's crafted web page. | |
| CVE-2017-7440 | Med | 0.42 | 6.5 | 0.00 | May 2, 2017 | Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop application for Windows and Mac 9.2.0 through 9.2.2, when e-mail preview is enabled, allows remote attackers to conduct clickjacking attacks via a crafted e-mail message. | |
| CVE-2017-5016 | Med | 0.42 | 6.5 | 0.01 | Feb 17, 2017 | Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to prevent certain UI elements from being displayed by non-visible pages, which allowed a remote attacker to show certain UI elements on a page they don't control via a crafted HTML page. | |
| CVE-2024-10454 | Med | 0.40 | 6.1 | 0.00 | Oct 31, 2024 | Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims. | |
| CVE-2024-40817 | Med | 0.40 | 6.1 | 0.00 | Jul 29, 2024 | The issue was addressed with improved UI handling. This issue is fixed in Safari 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing. | |
| CVE-2017-11290 | Med | 0.40 | 6.1 | 0.00 | Dec 9, 2017 | An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A UI Redress (or Clickjacking) vulnerability exists. This issue has been resolved by adding a feature that enables Connect administrators to protect users from UI redressing (or clickjacking) attacks. | |
| CVE-2024-55888 | Hig | 0.39 | 7.1 | 0.00 | Dec 12, 2024 | Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue. | |
| CVE-2017-0492 | Med | 0.36 | 5.5 | 0.00 | Mar 8, 2017 | An elevation of privilege vulnerability in the System UI could enable a local malicious application to create a UI overlay covering the entire screen. This issue is rated as Moderate because it is a local bypass of user interaction requirements that would normally require either user initiation or user permission. Product: Android. Versions: 7.1.1. Android ID: A-30150688. | |
| CVE-2025-30191 | Med | 0.35 | 5.4 | 0.00 | Oct 31, 2025 | Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known | |
| CVE-2025-5267 | Med | 0.35 | 5.4 | 0.00 | May 27, 2025 | A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. |