CWE-1021
Improper Restriction of Rendered UI Layers or Frames
Description
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654
CVEs mapped to this weakness (89)
page 4 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-41000 | Low | 0.14 | — | 0.00 | Sep 3, 2025 | Cross-Frame Scripting (XFS) vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the… | ||
| CVE-2011-1244 | 0.01 | — | 0.15 | Apr 13, 2011 | Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag Information Disclosure Vulnerability." | |||
| CVE-2026-26000 | 0.00 | — | 0.00 | Feb 12, 2026 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This… | |||
| CVE-2025-63522 | 0.00 | — | 0.00 | Dec 1, 2025 | Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | |||
| CVE-2025-54139 | — | 0.00 | — | 0.00 | Jul 22, 2025 | HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading… | ||
| CVE-2025-49139 | — | 0.00 | — | 0.00 | Jun 9, 2025 | HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the… | ||
| CVE-2025-31138 | 0.00 | — | 0.00 | Apr 7, 2025 | tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to… | |||
| CVE-2024-2383 | 0.00 | — | 0.00 | Jun 6, 2024 | A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an… | |||
| CVE-2024-0669 | — | 0.00 | — | 0.00 | Jan 18, 2024 | A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element. | ||
| CVE-2023-38873 | — | 0.00 | — | 0.01 | Sep 28, 2023 | The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another… | ||
| CVE-2023-0780 | 0.00 | — | 0.00 | Feb 11, 2023 | Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev. | |||
| CVE-2023-0057 | 0.00 | — | 0.00 | Jan 5, 2023 | Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33. | |||
| CVE-2022-36182 | 0.00 | — | 0.01 | Oct 27, 2022 | Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site. | |||
| CVE-2022-3167 | — | 0.00 | — | 0.01 | Sep 8, 2022 | Improper Restriction of Rendered UI Layers or Frames in GitHub repository ikus060/rdiffweb prior to 2.4.1. | ||
| CVE-2022-28889 | — | 0.00 | — | 0.02 | Jul 7, 2022 | In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header. | ||
| CVE-2022-24733 | 0.00 | — | 0.01 | Mar 14, 2022 | Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target… | |||
| CVE-2021-46708 | — | 0.00 | — | 0.01 | Mar 11, 2022 | The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and… | ||
| CVE-2021-3734 | 0.00 | — | 0.00 | Aug 26, 2021 | yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames | |||
| CVE-2020-5679 | 0.00 | — | 0.01 | Dec 3, 2020 | Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be conducted. | |||
| CVE-2020-1728 | — | 0.00 | — | 0.01 | Apr 6, 2020 | A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their… |
- risk 0.14cvss —epss 0.00
Cross-Frame Scripting (XFS) vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the…
- CVE-2011-1244Apr 13, 2011risk 0.01cvss —epss 0.15
Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag Information Disclosure Vulnerability."
- CVE-2026-26000Feb 12, 2026risk 0.00cvss —epss 0.00
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This…
- CVE-2025-63522Dec 1, 2025risk 0.00cvss —epss 0.00
Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
- CVE-2025-54139Jul 22, 2025risk 0.00cvss —epss 0.00
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading…
- CVE-2025-49139Jun 9, 2025risk 0.00cvss —epss 0.00
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the…
- CVE-2025-31138Apr 7, 2025risk 0.00cvss —epss 0.00
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to…
- CVE-2024-2383Jun 6, 2024risk 0.00cvss —epss 0.00
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an…
- CVE-2024-0669Jan 18, 2024risk 0.00cvss —epss 0.00
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element.
- CVE-2023-38873Sep 28, 2023risk 0.00cvss —epss 0.01
The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another…
- CVE-2023-0780Feb 11, 2023risk 0.00cvss —epss 0.00
Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.
- CVE-2023-0057Jan 5, 2023risk 0.00cvss —epss 0.00
Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.
- CVE-2022-36182Oct 27, 2022risk 0.00cvss —epss 0.01
Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.
- CVE-2022-3167Sep 8, 2022risk 0.00cvss —epss 0.01
Improper Restriction of Rendered UI Layers or Frames in GitHub repository ikus060/rdiffweb prior to 2.4.1.
- CVE-2022-28889Jul 7, 2022risk 0.00cvss —epss 0.02
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
- CVE-2022-24733Mar 14, 2022risk 0.00cvss —epss 0.01
Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target…
- CVE-2021-46708Mar 11, 2022risk 0.00cvss —epss 0.01
The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and…
- CVE-2021-3734Aug 26, 2021risk 0.00cvss —epss 0.00
yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames
- CVE-2020-5679Dec 3, 2020risk 0.00cvss —epss 0.01
Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be conducted.
- CVE-2020-1728Apr 6, 2020risk 0.00cvss —epss 0.01
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their…