ReportizFlow
Filtered by vendor
Subscriptions
Total
327 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4950 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-12-19 | 6.5 Medium |
| Inappropriate implementation in Downloads in Google Chrome prior to 125.0.6422.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2021-29827 | 1 Ibm | 1 Infosphere Information Server | 2024-12-19 | 5.2 Medium |
| IBM InfoSphere Information Server 11.7 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | ||||
| CVE-2024-31323 | 1 Google | 1 Android | 2024-12-17 | 7.8 High |
| In onCreate of multiple files, there is a possible way to trick the user into granting health permissions due to tapjacking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-31324 | 1 Google | 1 Android | 2024-12-17 | 7.3 High |
| In hide of WindowState.java, there is a possible way to bypass tapjacking/overlay protection by launching the activity in portrait mode first and then rotating it to landscape mode. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2024-34743 | 1 Google | 1 Android | 2024-12-17 | 7.8 High |
| In setTransactionState of SurfaceFlinger.cpp, there is a possible way to perform tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-55888 | 2024-12-13 | 7.1 High | ||
| Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue. | ||||
| CVE-2024-7404 | 1 Gitlab | 1 Gitlab | 2024-12-13 | 6.8 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow. | ||||
| CVE-2024-2177 | 1 Gitlab | 1 Gitlab | 2024-12-12 | 6.8 Medium |
| A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. | ||||
| CVE-2024-1550 | 3 Debian, Mozilla, Redhat | 8 Debian Linux, Firefox, Thunderbird and 5 more | 2024-12-10 | 6.1 Medium |
| A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox < 123, Firefox ESR < 115.8, and Thunderbird < 115.8. | ||||
| CVE-2023-23343 | 1 Hcltech | 1 Bigfix Osd Bare Metal Server | 2024-12-05 | 2.4 Low |
| A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain. | ||||
| CVE-2022-20443 | 1 Google | 1 Android | 2024-12-05 | 7.8 High |
| In hasInputInfo of Layer.cpp, there is a possible bypass of user interaction requirements due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-194480991 | ||||
| CVE-2024-11700 | 1 Mozilla | 2 Firefox, Thunderbird | 2024-12-02 | 8.1 High |
| Malicious websites may have been able to perform user intent confirmation through tapjacking. This could have led to users unknowingly approving the launch of external applications, potentially exposing them to underlying vulnerabilities. This vulnerability affects Firefox < 133 and Thunderbird < 133. | ||||
| CVE-2024-26167 | 1 Microsoft | 1 Edge | 2024-11-29 | 4.3 Medium |
| Microsoft Edge for Android Spoofing Vulnerability | ||||
| CVE-2018-0355 | 1 Cisco | 1 Unified Communications Manager | 2024-11-29 | 6.1 Medium |
| A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761. | ||||
| CVE-2024-11695 | 1 Redhat | 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more | 2024-11-27 | 5.4 Medium |
| A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | ||||
| CVE-2023-34658 | 1 Telegram | 1 Telegram | 2024-11-27 | 5.3 Medium |
| Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController. | ||||
| CVE-2024-53976 | 2024-11-26 | 5.4 Medium | ||
| Under certain circumstances, navigating to a webpage would result in the address missing from the location URL bar, making it unclear what the URL was for the loaded webpage. This vulnerability affects Firefox for iOS < 133. | ||||
| CVE-2018-15423 | 1 Cisco | 1 Hyperflex Hx Data Platform | 2024-11-26 | 4.7 Medium |
| A vulnerability in the web UI of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to affect the integrity of a device via a clickjacking attack. The vulnerability is due to insufficient input validation of iFrame data in HTTP requests that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted HTTP packets with malicious iFrame data. A successful exploit could allow the attacker to perform a clickjacking attack where the user is tricked into clicking a malicious link. | ||||
| CVE-2023-7013 | 1 Google | 1 Chrome | 2024-11-25 | 5.4 Medium |
| Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2019-1975 | 1 Cisco | 10 Hyperflex Hx220c Af M5, Hyperflex Hx220c Af M5 Firmware, Hyperflex Hx220c Edge M5 and 7 more | 2024-11-21 | 6.1 Medium |
| A vulnerability in the web-based interface of Cisco HyperFlex Software could allow an unauthenticated, remote attacker to execute a cross-frame scripting (XFS) attack on an affected device. This vulnerability is due to insufficient HTML iframe protection. An attacker could exploit this vulnerability by directing a user to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct clickjacking or other clientside browser attacks. | ||||