Total
349 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-27220 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 6220. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors. | ||||
| CVE-2022-27219 | 1 Siemens | 1 Sinema Remote Connect Server | 2024-11-21 | 4.3 Medium |
| A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). Affected application is missing general HTTP security headers in the web server configured on port 443. This could aid attackers by making the servers more prone to clickjacking, channel downgrade attacks and other similar client-based attack vectors. | ||||
| CVE-2022-24733 | 1 Sylius | 1 Sylius | 2024-11-21 | 6.1 Medium |
| Sylius is an open source eCommerce platform. Prior to versions 1.9.10, 1.10.11, and 1.11.2, it is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. The issue is fixed in versions 1.9.10, 1.10.11, and 1.11.2. A workaround is available. Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that, add a new `subscriber` in the app. | ||||
| CVE-2022-22807 | 1 Schneider-electric | 14 Hmibscea53d1edb, Hmibscea53d1edb Firmware, Hmibscea53d1edl and 11 more | 2024-11-21 | 7.4 High |
| A CWE-1021 Improper Restriction of Rendered UI Layers or Frames vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within iframes. Affected Product: EcoStruxure EV Charging Expert (formerly known as EVlink Load Management System): (HMIBSCEA53D1EDB, HMIBSCEA53D1EDS, HMIBSCEA53D1EDM, HMIBSCEA53D1EDL, HMIBSCEA53D1ESS, HMIBSCEA53D1ESM, HMIBSCEA53D1EML) (All Versions prior to SP8 (Version 01) V4.0.0.13) | ||||
| CVE-2022-22592 | 2 Apple, Redhat | 7 Ipados, Iphone, Macos and 4 more | 2024-11-21 | 6.5 Medium |
| A logic issue was addressed with improved state management. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing maliciously crafted web content may prevent Content Security Policy from being enforced. | ||||
| CVE-2022-22552 | 1 Dell | 1 Emc Appsync | 2024-11-21 | 6.9 Medium |
| Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker could potentially exploit this vulnerability to trick the victim into executing state changing operations. | ||||
| CVE-2022-22503 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation As A Service | 2024-11-21 | 6.1 Medium |
| IBM Robotic Process Automation 21.0.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 227125. | ||||
| CVE-2022-20852 | 1 Cisco | 1 Webex Meetings | 2024-11-21 | 5.4 Medium |
| Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow a remote attacker to conduct a cross-site scripting (XSS) attack or a frame hijacking attack against a user of the web interface. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2022-20820 | 1 Cisco | 1 Webex Meetings | 2024-11-21 | 5.4 Medium |
| Multiple vulnerabilities in the web interface of Cisco Webex Meetings could allow a remote attacker to conduct a cross-site scripting (XSS) attack or a frame hijacking attack against a user of the web interface. For more information about these vulnerabilities, see the Details section of this advisory. | ||||
| CVE-2022-20501 | 1 Google | 1 Android | 2024-11-21 | 7.3 High |
| In onCreate of EnableAccountPreferenceActivity.java, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-246933359 | ||||
| CVE-2022-20442 | 1 Google | 1 Android | 2024-11-21 | 7.3 High |
| In onCreate of ReviewPermissionsActivity.java, there is a possible way to grant permissions for a separate app with API level < 23 due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-176094367 | ||||
| CVE-2022-20331 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In the Framework, there is a possible way to enable a work profile without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-181785557 | ||||
| CVE-2022-20226 | 1 Google | 1 Android | 2024-11-21 | 3.9 Low |
| In finishDrawingWindow of WindowManagerService.java, there is a possible tapjacking due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-213644870 | ||||
| CVE-2022-20212 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In wifi.RequestToggleWifiActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11Android ID: A-182282630 | ||||
| CVE-2022-1803 | 1 Trudesk Project | 1 Trudesk | 2024-11-21 | 6.9 Medium |
| Improper Restriction of Rendered UI Layers or Frames in GitHub repository polonel/trudesk prior to 1.2.2. | ||||
| CVE-2022-1138 | 1 Google | 1 Chrome | 2024-11-21 | 6.5 Medium |
| Inappropriate implementation in Web Cursor in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who had compromised the renderer process to obscure the contents of the Omnibox (URL bar) via a crafted HTML page. | ||||
| CVE-2022-0455 | 1 Google | 2 Android, Chrome | 2024-11-21 | 6.5 Medium |
| Inappropriate implementation in Full Screen Mode in Google Chrome on Android prior to 98.0.4758.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | ||||
| CVE-2022-0110 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-11-21 | 4.3 Medium |
| Incorrect security UI in Autofill in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | ||||
| CVE-2021-46708 | 1 Smartbear | 1 Swagger-ui-dist | 2024-11-21 | 6.1 Medium |
| The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | ||||
| CVE-2021-44683 | 1 Duckduckgo | 1 Duckduckgo | 2024-11-21 | 8.2 High |
| The DuckDuckGo browser 7.64.4 on iOS allows Address Bar Spoofing due to mishandling of the JavaScript window.open function (used to open a secondary browser window). This could be exploited by tricking users into supplying sensitive information such as credentials, because the address bar would display a legitimate URL, but content would be hosted on the attacker's web site. | ||||