VYPR

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

BaseIncomplete

Description

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654

CVEs mapped to this weakness (89)

page 1 of 5
  • CVE-2016-2496CriJun 13, 2016
    risk 0.64cvss 9.8epss 0.01

    The Framework UI permission-dialog implementation in Android 6.x before 2016-06-01 allows attackers to conduct tapjacking attacks and access arbitrary private-storage files by creating a partially overlapping window, aka internal bug 26677796.

  • CVE-2026-44727criJun 18, 2026
    risk 0.52cvss epss 0.00

    The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their `Content-Security-Policy`. Combined with `nbconvert.HTMLExporter`'s default non-sanitizing behavior, a notebook carrying an HTML…

  • CVE-2026-28577HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2026-0036HigJun 1, 2026
    risk 0.51cvss 7.8epss 0.00

    In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

  • CVE-2025-14812HigDec 19, 2025
    risk 0.49cvss 7.5epss 0.00

    ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.

  • CVE-2026-2378HigMar 20, 2026
    risk 0.48cvss 7.4epss 0.00

    ArcSearch for Android versions prior to 1.12.7 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

  • CVE-2025-15032HigJan 16, 2026
    risk 0.48cvss 7.4epss 0.00

    Missing about:blank indicator in custom-sized new windows in Dia before 1.9.0 on macOS could allow an attacker to spoof a trusted domain in the window title and mislead users about the current site.

  • CVE-2025-14809HigDec 19, 2025
    risk 0.48cvss 7.4epss 0.00

    ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.

  • CVE-2025-13132HigNov 21, 2025
    risk 0.48cvss 7.4epss 0.00

    This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address…

  • CVE-2026-37470HigMay 22, 2026
    risk 0.47cvss 7.3epss 0.00

    An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components

  • CVE-2025-1940HigMar 4, 2025
    risk 0.46cvss 7.1epss 0.00

    A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was fixed in Firefox…

  • CVE-2025-24874MedFeb 11, 2025
    risk 0.44cvss 6.8epss 0.00

    SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP…

  • CVE-2025-25213MedApr 9, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper restriction of rendered UI layers or frames issue exists in Wi-Fi AP UNIT 'AC-WPS-11ac series'. If a user views and clicks on the content on the malicious page while logged in, unintended operations may be performed.

  • CVE-2024-3911MedApr 23, 2024
    risk 0.42cvss 6.5epss 0.00

    An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. 

  • CVE-2017-5697MedJun 14, 2017
    risk 0.42cvss 6.5epss 0.01

    Insufficient clickjacking protection in the Web User Interface of Intel AMT firmware versions before 9.1.40.1000, 9.5.60.1952, 10.0.50.1004, 11.0.0.1205, and 11.6.25.1129 potentially allowing a remote attacker to hijack users web clicks via attacker's crafted web page.

  • CVE-2017-7440MedMay 2, 2017
    risk 0.42cvss 6.5epss 0.01

    Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop application for Windows and Mac 9.2.0 through 9.2.2, when e-mail preview is enabled, allows remote attackers to conduct clickjacking attacks via a crafted e-mail message.

  • CVE-2017-5016MedFeb 17, 2017
    risk 0.42cvss 6.5epss 0.01

    Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, failed to prevent certain UI elements from being displayed by non-visible pages, which allowed a remote attacker to show certain UI elements on a page they don't control via a…

  • CVE-2024-10454MedOct 31, 2024
    risk 0.40cvss 6.1epss 0.00

    Clickjacking vulnerability in Clibo Manager v1.1.9.12 in the '/public/login' directory, a login panel. This vulnerability occurs due to the absence of an X-Frame-Options server-side header. An attacker could overlay a transparent iframe to perform click hijacking on victims.

  • CVE-2024-40817MedJul 29, 2024
    risk 0.40cvss 6.1epss 0.01

    The issue was addressed with improved UI handling. This issue is fixed in Safari 17.6, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing.

  • CVE-2018-0355MedJun 7, 2018
    risk 0.40cvss 6.1epss 0.02

    A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient…