VYPR

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

BaseIncomplete

Description

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654

CVEs mapped to this weakness (89)

page 2 of 5
  • CVE-2018-1432MedJun 5, 2018
    risk 0.40cvss 6.1epss 0.01

    IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to cross-frame scripting which is a vulnerability that allows an attacker to load Information Server components inside an HTML iframe tag on a malicious page. The attacker could use this weakness to devise…

  • CVE-2017-11290MedDec 9, 2017
    risk 0.40cvss 6.1epss 0.03

    An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A UI Redress (or Clickjacking) vulnerability exists. This issue has been resolved by adding a feature that enables Connect administrators to protect users from UI redressing (or clickjacking) attacks.

  • CVE-2026-47723higJun 8, 2026
    risk 0.39cvss epss 0.00

    None of the response paths in `internal/web/` or `internal/api/` set the standard browser-security headers. `grep` for `Content-Security-Policy`, `X-Frame-Options`, `Strict-Transport-Security`, `X-Content-Type-Options`, `Referrer-Policy` returns zero matches across the codebase.…

  • CVE-2024-55888HigDec 12, 2024
    risk 0.39cvss 7.1epss 0.00

    Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of…

  • CVE-2026-0061MedJun 1, 2026
    risk 0.38cvss 5.9epss 0.00

    In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

  • CVE-2025-23205MedJan 17, 2025
    risk 0.38cvss epss 0.00

    nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration…

  • CVE-2017-0492MedMar 8, 2017
    risk 0.36cvss 5.5epss 0.00

    An elevation of privilege vulnerability in the System UI could enable a local malicious application to create a UI overlay covering the entire screen. This issue is rated as Moderate because it is a local bypass of user interaction requirements that would normally require either…

  • CVE-2026-12323MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-12322MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    Clickjacking issue in the Widget: Gtk component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2025-30191MedOct 31, 2025
    risk 0.35cvss 5.4epss 0.00

    Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the…

  • CVE-2025-5267MedMay 27, 2025
    risk 0.35cvss 5.4epss 0.00

    A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

  • CVE-2025-1018MedFeb 4, 2025
    risk 0.34cvss 5.3epss 0.00

    The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

  • CVE-2024-6466MedJan 21, 2025
    risk 0.34cvss 5.3epss 0.00

    NEC Corporation's WebSAM DeploymentManager v6.0 to v6.80 allows an attacker to reset configurations or restart products via network with X-FRAME-OPTIONS is not specified.

  • CVE-2026-42502MedMay 22, 2026
    risk 0.33cvss 6.1epss 0.00

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-27136MedMay 22, 2026
    risk 0.33cvss 6.1epss 0.00

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2026-25681MedMay 22, 2026
    risk 0.33cvss 6.1epss 0.00

    Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

  • CVE-2025-64387MedOct 31, 2025
    risk 0.33cvss epss 0.00

    The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making…

  • CVE-2025-6983MedJul 16, 2025
    risk 0.33cvss epss 0.00

    A Clickjacking vulnerability in TP-Link Archer C1200 web management page allows an attacker to trick users into performing unintended actions via rendered UI layers or frames.This issue affects Archer C1200 <= 1.1.5.

  • CVE-2025-0421MedNov 19, 2025
    risk 0.31cvss 4.7epss 0.00

    Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay. This issue affects Shopside: through 05022025.

  • CVE-2025-0546MedSep 17, 2025
    risk 0.31cvss 4.7epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, Forceful Browsing. This issue needs high…