CVE-2015-2917 - Vulnerability Details - OpenCVE

Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M unintentionally omit the X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site that contains a (1) FRAME, (2) IFRAME, or (3) OBJECT element.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Securifi	Almond Almond-2015 Almond-2015 Firmware Almond Firmware

Configuration 1 [-]

AND

cpe:2.3:o:securifi:almond_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:securifi:almond:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:securifi:almond-2015_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:securifi:almond-2015:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.kb.cert.org/vuls/id/906576

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2015-09-21T10:00:00

Updated: 2024-08-06T05:32:20.317Z

Reserved: 2015-04-03T00:00:00

Link: CVE-2015-2917

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-09-21T10:59:05.460

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-2917

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-10T00:00:00", "descriptions": [{"lang": "en", "value": "Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M unintentionally omit the X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site that contains a (1) FRAME, (2) IFRAME, or (3) OBJECT element."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-09-21T01:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#906576", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/906576"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2015-2917", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M unintentionally omit the X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site that contains a (1) FRAME, (2) IFRAME, or (3) OBJECT element."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#906576", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/906576"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:32:20.317Z"}, "title": "CVE Program Container", "references": [{"name": "VU#906576", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/906576"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2015-2917", "datePublished": "2015-09-21T10:00:00", "dateReserved": "2015-04-03T00:00:00", "dateUpdated": "2024-08-06T05:32:20.317Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:securifi:almond_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0F8D06E-B50D-41E8-9B53-DB023EC5DB3A", "versionEndIncluding": "al1-r201exp10-l304-w33", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:securifi:almond:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1E395E7-282D-453B-9263-1147F1C68725", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:securifi:almond-2015_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCC7722A-CB7A-4E3E-9858-5601DB8BCA7C", "versionEndIncluding": "al2-r088", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:securifi:almond-2015:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9FB54DB-EC2A-43EC-9EE8-C0FAFADBD912", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M unintentionally omit the X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site that contains a (1) FRAME, (2) IFRAME, or (3) OBJECT element."}, {"lang": "es", "value": "Vulnerabilidad en dispositivos Securifi Almond con firmware anterior a AL1-R201EXP10-L304-W34 y dispositivos Almond-2015 con firmware anterior a AL2-R088M, omiten involuntariamente la cabecera HTTP X-Frame-Options, lo que hace m\u00e1s f\u00e1cil para atacantes remotos llevar a cabo ataques de secuestro de clic a trav\u00e9s de una p\u00e1gina web manipulada que contiene un elemento (1) FRAME, (2) IFRAME u (3) OBJECT."}], "id": "CVE-2015-2917", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-09-21T10:59:05.460", "references": [{"source": "cret@cert.org", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/906576"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/906576"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}