CWE-1021
Improper Restriction of Rendered UI Layers or Frames
Description
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654
CVEs mapped to this weakness (89)
page 1 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-2496 | Cri | 0.64 | 9.8 | 0.01 | Jun 13, 2016 | The Framework UI permission-dialog implementation in Android 6.x before 2016-06-01 allows attackers to conduct tapjacking attacks and access arbitrary private-storage files by creating a partially overlapping window, aka internal bug 26677796. | ||
| CVE-2026-44727 | cri | 0.52 | — | 0.00 | Jun 18, 2026 | The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their `Content-Security-Policy`. Combined with `nbconvert.HTMLExporter`'s default non-sanitizing behavior, a notebook carrying an HTML… | ||
| CVE-2026-28577 | Hig | 0.51 | 7.8 | 0.00 | Jun 1, 2026 | In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2026-0036 | Hig | 0.51 | 7.8 | 0.00 | Jun 1, 2026 | In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||
| CVE-2025-14812 | Hig | 0.49 | 7.5 | 0.00 | Dec 19, 2025 | ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | ||
| CVE-2026-2378 | Hig | 0.48 | 7.4 | 0.00 | Mar 20, 2026 | ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | ||
| CVE-2025-15032 | Hig | 0.48 | 7.4 | 0.00 | Jan 16, 2026 | Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site. | ||
| CVE-2025-14809 | Hig | 0.48 | 7.4 | 0.00 | Dec 19, 2025 | ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | ||
| CVE-2025-13132 | — | Hig | 0.48 | 7.4 | 0.00 | Nov 21, 2025 | This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address… | |
| CVE-2026-37470 | Hig | 0.47 | 7.3 | 0.00 | May 22, 2026 | An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components | ||
| CVE-2025-1940 | Hig | 0.46 | 7.1 | 0.00 | Mar 4, 2025 | A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox… | ||
| CVE-2025-24874 | Med | 0.44 | 6.8 | 0.00 | Feb 11, 2025 | SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP… | ||
| CVE-2025-25213 | Med | 0.42 | 6.5 | 0.00 | Apr 9, 2025 | Improper restriction of rendered UI layers or frames issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If a user views and clicks on the content on the malicious page while logged in, unintended operations may be performed. | ||
| CVE-2024-3911 | — | Med | 0.42 | 6.5 | 0.00 | Apr 23, 2024 | An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. | |
| CVE-2017-5697 | Med | 0.42 | 6.5 | 0.01 | Jun 14, 2017 | Insufficient clickjacking protection in the Web User Interface of Intel AMT firmware versions before 9.1.40.1000, 9.5.60.1952, 10.0.50.1004, 11.0.0.1205, and 11.6.25.1129 potentially allowing a remote attacker to hijack users web clicks via attacker's crafted web page. | ||
| CVE-2017-7440 | Med | 0.42 | 6.5 | 0.01 | May 2, 2017 | Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop application for Windows and Mac 9.2.0 through 9.2.2, when e-mail preview is enabled, allows remote attackers to conduct clickjacking attacks via a crafted e-mail message. | ||
| CVE-2017-5016 | Med | 0.42 | 6.5 | 0.01 | Feb 17, 2017 | Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to prevent certain UI elements from being displayed by non-visible pages, which allowed a remote attacker to show certain UI elements on a page they don't control via a… | ||
| CVE-2024-10454 | Med | 0.40 | 6.1 | 0.00 | Oct 31, 2024 | Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims. | ||
| CVE-2024-40817 | Med | 0.40 | 6.1 | 0.01 | Jul 29, 2024 | The issue was addressed with improved UI handling. This issue is fixed in Safari 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing. | ||
| CVE-2018-0355 | Med | 0.40 | 6.1 | 0.02 | Jun 7, 2018 | A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient… |
- risk 0.64cvss 9.8epss 0.01
The Framework UI permission-dialog implementation in Android 6.x before 2016-06-01 allows attackers to conduct tapjacking attacks and access arbitrary private-storage files by creating a partially overlapping window, aka internal bug 26677796.
- risk 0.52cvss —epss 0.00
The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their `Content-Security-Policy`. Combined with `nbconvert.HTMLExporter`'s default non-sanitizing behavior, a notebook carrying an HTML…
- risk 0.51cvss 7.8epss 0.00
In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- risk 0.51cvss 7.8epss 0.00
In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- risk 0.49cvss 7.5epss 0.00
ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.
- risk 0.48cvss 7.4epss 0.00
ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
- risk 0.48cvss 7.4epss 0.00
Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.
- risk 0.48cvss 7.4epss 0.00
ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
- risk 0.48cvss 7.4epss 0.00
This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address…
- risk 0.47cvss 7.3epss 0.00
An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components
- risk 0.46cvss 7.1epss 0.00
A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox…
- risk 0.44cvss 6.8epss 0.00
SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP…
- risk 0.42cvss 6.5epss 0.00
Improper restriction of rendered UI layers or frames issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If a user views and clicks on the content on the malicious page while logged in, unintended operations may be performed.
- risk 0.42cvss 6.5epss 0.00
An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames.
- risk 0.42cvss 6.5epss 0.01
Insufficient clickjacking protection in the Web User Interface of Intel AMT firmware versions before 9.1.40.1000, 9.5.60.1952, 10.0.50.1004, 11.0.0.1205, and 11.6.25.1129 potentially allowing a remote attacker to hijack users web clicks via attacker's crafted web page.
- risk 0.42cvss 6.5epss 0.01
Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop application for Windows and Mac 9.2.0 through 9.2.2, when e-mail preview is enabled, allows remote attackers to conduct clickjacking attacks via a crafted e-mail message.
- risk 0.42cvss 6.5epss 0.01
Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to prevent certain UI elements from being displayed by non-visible pages, which allowed a remote attacker to show certain UI elements on a page they don't control via a…
- risk 0.40cvss 6.1epss 0.00
Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims.
- risk 0.40cvss 6.1epss 0.01
The issue was addressed with improved UI handling. This issue is fixed in Safari 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing.
- risk 0.40cvss 6.1epss 0.02
A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient…