VYPR

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

BaseIncomplete

Description

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654

CVEs mapped to this weakness (89)

page 3 of 5
  • CVE-2018-15423MedOct 5, 2018
    risk 0.31cvss 4.7epss 0.01

    A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an…

  • CVE-2026-20645MedFeb 11, 2026
    risk 0.30cvss 4.6epss 0.00

    An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information.

  • CVE-2017-4015MedMay 17, 2017
    risk 0.29cvss 4.5epss 0.01

    Clickjacking vulnerability in the server in McAfee Network Data Loss Prevention (NDLP) 9.3.x allows remote authenticated users to inject arbitrary web script or HTML via HTTP response header.

  • CVE-2026-10733MedJun 11, 2026
    risk 0.28cvss 4.3epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.

  • CVE-2026-28971MedMay 11, 2026
    risk 0.28cvss 4.3epss 0.00

    The issue was addressed with improved UI handling. This issue is fixed in Safari 26.5, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, visionOS 26.5. A malicious iframe may use another website’s download settings.

  • CVE-2025-65922MedJan 5, 2026
    risk 0.28cvss 4.3epss 0.00

    PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the application to be embedded within malicious iframes. While this does not lead to unintended modification of projects or tasks, it exposes users to Phishing attacks. Attackers can frame the…

  • CVE-2024-13066MedSep 3, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper Restriction of Rendered UI Layers or Frames vulnerability in Akinsoft LimonDesk allows iFrame Overlay, CAPEC - 103 - Clickjacking. This issue affects LimonDesk: from s1.02.14 before v1.02.17.

  • CVE-2025-9108MedAug 18, 2025
    risk 0.28cvss 4.3epss 0.00

    Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of rendered ui layers. It is possible to launch the attack remotely.

  • CVE-2025-7903MedJul 20, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rendered ui layers. The attack can be…

  • CVE-2025-6434MedJun 24, 2025
    risk 0.28cvss 4.3epss 0.00

    The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140…

  • CVE-2025-24310MedApr 4, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper restriction of rendered UI layers or frames issue exists in HMI ViewJet C-more series, which may allow a remote unauthenticated attacker to trick the product user to perform operations on the product's web pages.

  • CVE-2025-1019MedFeb 4, 2025
    risk 0.28cvss 4.3epss 0.00

    The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

  • CVE-2023-47774MedApr 24, 2024
    risk 0.28cvss 5.4epss 0.00

    Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7.

  • CVE-2018-12576MedJul 2, 2018
    risk 0.28cvss 4.3epss 0.01

    TP-Link TL-WR841N v13 00000001 0.9.1 4.16 v0001.0 Build 180119 Rel.65243n devices allow clickjacking.

  • CVE-2017-5026MedFeb 17, 2017
    risk 0.28cvss 4.3epss 0.01

    Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to prevent alerts from being displayed by swapped out frames, which allowed a remote attacker to show alerts on a page they don't control via a crafted HTML page.

  • CVE-2026-21785MedMay 27, 2026
    risk 0.26cvss 4.0epss 0.00

    A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.

  • CVE-2026-9396LowMay 24, 2026
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be…

  • CVE-2026-3254LowApr 22, 2026
    risk 0.23cvss 3.5epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.

  • CVE-2026-8022LowMay 6, 2026
    risk 0.20cvss 3.1epss 0.00

    Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low)

  • CVE-2025-62316LowMay 14, 2026
    risk 0.15cvss 2.3epss 0.00

    HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under…