CWE-1021
Improper Restriction of Rendered UI Layers or Frames
BaseIncomplete
Description
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654
CVEs mapped to this weakness (49)
page 2 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-1018 | Med | 0.34 | 5.3 | 0.00 | Feb 4, 2025 | The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135. | |
| CVE-2024-6466 | Med | 0.34 | 5.3 | 0.00 | Jan 21, 2025 | NEC Corporation's WebSAM DeploymentManager v6.0 to v6.80 allows an attacker to reset configurations or restart products via network with X-FRAME-OPTIONS is not specified. | |
| CVE-2025-64387 | Med | 0.33 | — | 0.00 | Oct 31, 2025 | The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. | |
| CVE-2025-6983 | Med | 0.33 | — | 0.00 | Jul 16, 2025 | A Clickjacking vulnerability in TP-Link Archer C1200 web management page allows an attacker to trick users into performing unintended actions via rendered UI layers or frames.This issue affects Archer C1200 <= 1.1.5. | |
| CVE-2025-0421 | Med | 0.31 | 4.7 | 0.00 | Nov 19, 2025 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025. | |
| CVE-2025-0546 | Med | 0.31 | 4.7 | 0.00 | Sep 17, 2025 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Restriction of Rendered UI Layers or Frames vulnerability in Mevzuattr Software MevzuatTR allows Phishing, iFrame Overlay, Clickjacking, Forceful Browsing. This issue needs high privileges. This issue affects MevzuatTR: before 12.02.2025. | |
| CVE-2026-20645 | Med | 0.30 | 4.6 | 0.00 | Feb 11, 2026 | An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information. | |
| CVE-2017-4015 | Med | 0.29 | 4.5 | 0.00 | May 17, 2017 | Clickjacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to inject arbitrary web script or HTML via HTTP response header. | |
| CVE-2026-28971 | Med | 0.28 | 4.3 | 0.00 | May 11, 2026 | The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings. | |
| CVE-2025-65922 | Med | 0.28 | 4.3 | 0.00 | Jan 5, 2026 | PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the legitimate Planka application on a malicious site to establish false trust (UI Redressing), potentially tricking users into entering sensitive information or credentials into overlaid fake forms. NOTE: this is disputed by the Supplier because "PLANKA uses SameSite=Strict cookies, preventing authentication in cross-origin contexts. No session can be established. No credential interception or unauthorized actions are possible. Browser Same-Origin Policy prevents the parent page from accessing iframe content. Clickjacking is not applicable on the login page. Any credential capture would require attacker-controlled input and user interaction equivalent to phishing. The security outcome depends entirely on the user's trust in the parent page. An attacker can achieve the same effect with a fully fake login page. Embedding the legitimate page adds no risk, as browsers do not show URL, certificate, or padlock indicators in cross-origin iframes." | |
| CVE-2024-13066 | Med | 0.28 | 4.3 | 0.00 | Sep 3, 2025 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Akinsoft LimonDesk allows iFrame Overlay, CAPEC - 103 - Clickjacking.This issue affects LimonDesk: from s1.02.14 before v1.02.17. | |
| CVE-2025-9108 | Med | 0.28 | 4.3 | 0.00 | Aug 18, 2025 | Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of rendered ui layers. It is possible to launch the attack remotely. | |
| CVE-2025-7903 | Med | 0.28 | 4.3 | 0.00 | Jul 20, 2025 | A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rendered ui layers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |
| CVE-2025-6434 | Med | 0.28 | 4.3 | 0.00 | Jun 24, 2025 | The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140. | |
| CVE-2025-24310 | Med | 0.28 | 4.3 | 0.01 | Apr 4, 2025 | Improper restriction of rendered UI layers or frames issue exists in HMI ViewJet C-more series, which may allow a remote unauthenticated attacker to trick the product user to perform operations on the product's web pages. | |
| CVE-2025-1019 | Med | 0.28 | 4.3 | 0.00 | Feb 4, 2025 | The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135. | |
| CVE-2023-47774 | Med | 0.28 | 5.4 | 0.00 | Apr 24, 2024 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7. | |
| CVE-2017-5026 | Med | 0.28 | 4.3 | 0.01 | Feb 17, 2017 | Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to prevent alerts from being displayed by swapped out frames, which allowed a remote attacker to show alerts on a page they don't control via a crafted HTML page. | |
| CVE-2026-3254 | Low | 0.23 | 3.5 | 0.00 | Apr 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox. | |
| CVE-2026-8022 | Low | 0.20 | 3.1 | 0.00 | May 6, 2026 | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low) |