VYPR

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

BaseIncomplete

Description

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-103 · CAPEC-181 · CAPEC-222 · CAPEC-504 · CAPEC-506 · CAPEC-587 · CAPEC-654

CVEs mapped to this weakness (89)

page 4 of 5
  • CVE-2025-41000LowSep 3, 2025
    risk 0.14cvss epss 0.00

    Cross-Frame Scripting (XFS) vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the…

  • CVE-2011-1244Apr 13, 2011
    risk 0.01cvss epss 0.15

    Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag Information Disclosure Vulnerability."

  • CVE-2026-26000Feb 12, 2026
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0, 17.4.6, and 16.10.13, it's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. This…

  • CVE-2025-63522Dec 1, 2025
    risk 0.00cvss epss 0.00

    Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function

  • CVE-2025-54139Jul 22, 2025
    risk 0.00cvss epss 0.00

    HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading…

  • CVE-2025-49139Jun 9, 2025
    risk 0.00cvss epss 0.00

    HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the…

  • CVE-2025-31138Apr 7, 2025
    risk 0.00cvss epss 0.00

    tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to…

  • CVE-2024-2383Jun 6, 2024
    risk 0.00cvss epss 0.00

    A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an…

  • CVE-2024-0669Jan 18, 2024
    risk 0.00cvss epss 0.00

    A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5. An attacker could store a malicious URL to be opened by an administrator and execute a malicios iframe element.

  • CVE-2023-38873Sep 28, 2023
    risk 0.00cvss epss 0.01

    The commit 3730880 (April 2023) and v.0.9-beta1 of gugoan Economizzer is vulnerable to Clickjacking. Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another…

  • CVE-2023-0780Feb 11, 2023
    risk 0.00cvss epss 0.00

    Improper Restriction of Rendered UI Layers or Frames in GitHub repository cockpit-hq/cockpit prior to 2.3.9-dev.

  • CVE-2023-0057Jan 5, 2023
    risk 0.00cvss epss 0.00

    Improper Restriction of Rendered UI Layers or Frames in GitHub repository pyload/pyload prior to 0.5.0b3.dev33.

  • CVE-2022-36182Oct 27, 2022
    risk 0.00cvss epss 0.01

    Hashicorp Boundary v0.8.0 is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.

  • CVE-2022-3167Sep 8, 2022
    risk 0.00cvss epss 0.01

    Improper Restriction of Rendered UI Layers or Frames in GitHub repository ikus060/rdiffweb prior to 2.4.1.

  • CVE-2022-28889Jul 7, 2022
    risk 0.00cvss epss 0.02

    In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

  • CVE-2022-24733Mar 14, 2022
    risk 0.00cvss epss 0.01

    Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target…

  • CVE-2021-46708Mar 11, 2022
    risk 0.00cvss epss 0.01

    The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and…

  • CVE-2021-3734Aug 26, 2021
    risk 0.00cvss epss 0.00

    yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames

  • CVE-2020-5679Dec 3, 2020
    risk 0.00cvss epss 0.01

    Improper restriction of rendered UI layers or frames in EC-CUBE versions from 3.0.0 to 3.0.18 leads to clickjacking attacks. If a user accesses a specially crafted page while logged into the administrative page, unintended operations may be conducted.

  • CVE-2020-1728Apr 6, 2020
    risk 0.00cvss epss 0.01

    A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their…