Total
356 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-59479 | 1 Inaba | 2 Ib-mct001, Ib-mct001 Firmware | 2025-12-23 | N/A | 6.1 MEDIUM |
| CHOCO TEI WATCHER mini (IB-MCT001) contains an issue with improper restriction of rendered UI layers or frames. If a user clicks on content on a malicious web page while logged into the product, unintended operations may be performed on the product. | |||||
| CVE-2025-14812 | 2025-12-19 | N/A | 7.5 HIGH | ||
| ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk. | |||||
| CVE-2025-14809 | 2025-12-19 | N/A | 7.4 HIGH | ||
| ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content. | |||||
| CVE-2025-14373 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-19 | N/A | 4.3 MEDIUM |
| Inappropriate implementation in Toolbar in Google Chrome on Android prior to 143.0.7499.110 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2025-59849 | 2025-12-18 | N/A | 4.7 MEDIUM | ||
| Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages. | |||||
| CVE-2025-48639 | 1 Google | 1 Android | 2025-12-08 | N/A | 7.3 HIGH |
| In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2025-48597 | 1 Google | 1 Android | 2025-12-08 | N/A | 7.8 HIGH |
| In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-36149 | 1 Ibm | 1 Concert | 2025-12-02 | N/A | 6.3 MEDIUM |
| IBM Concert Software 1.0.0 through 2.0.0 could allow a remote attacker to hijack the clicking action of the victim. | |||||
| CVE-2025-63522 | 1 Feehi | 1 Feehicms | 2025-12-02 | N/A | 4.6 MEDIUM |
| Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function | |||||
| CVE-2025-54527 | 1 Jetbrains | 1 Youtrack | 2025-12-01 | N/A | 6.1 MEDIUM |
| In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions | |||||
| CVE-2025-13132 | 2025-11-25 | N/A | 7.4 HIGH | ||
| This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Without this notification, users could potentially be misled about what site they were on if a malicious site renders a fake UI (like a fake address bar.) | |||||
| CVE-2025-0421 | 2025-11-19 | N/A | 4.7 MEDIUM | ||
| Improper Restriction of Rendered UI Layers or Frames vulnerability in Shopside Software Technologies Inc. Shopside allows iFrame Overlay.This issue affects Shopside: through 05022025. | |||||
| CVE-2024-40817 | 1 Apple | 2 Macos, Safari | 2025-11-04 | N/A | 6.1 MEDIUM |
| The issue was addressed with improved UI handling. This issue is fixed in macOS Sonoma 14.6, Safari 17.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing. | |||||
| CVE-2025-30191 | 2025-11-04 | N/A | 5.4 MEDIUM | ||
| Malicious content from E-Mail can be used to perform a redressing attack. Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. Attribute values containing HTML fragments are now denied by the sanitization procedure. No publicly available exploits are known | |||||
| CVE-2025-64387 | 2025-11-04 | N/A | N/A | ||
| The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. | |||||
| CVE-2024-11695 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-11-03 | N/A | 5.4 MEDIUM |
| A crafted URL containing Arabic script and whitespace characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 133, Firefox ESR < 128.5, Thunderbird < 133, and Thunderbird < 128.5. | |||||
| CVE-2025-5267 | 1 Mozilla | 1 Firefox | 2025-11-03 | N/A | 5.4 MEDIUM |
| A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. | |||||
| CVE-2024-30109 | 1 Hcltech | 1 Dryice Aex | 2025-10-30 | N/A | 3.7 LOW |
| HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended. | |||||
| CVE-2025-28129 | 1 Phpgurukul | 1 Hostel Management System | 2025-10-21 | N/A | 5.4 MEDIUM |
| Phpgurukul Hostel Management System 2.1 is vulnerable to clickjacking. | |||||
| CVE-2025-31138 | 1 Amauri | 1 Tarteaucitronjs | 2025-10-21 | N/A | 5.5 MEDIUM |
| tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where user-controlled inputs for element dimensions (width and height) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like 100%;height:100%;position:fixed;, potentially covering the entire viewport and facilitating clickjacking attacks. An attacker with high privileges could exploit this vulnerability to overlay malicious UI elements on top of legitimate content, trick users into interacting with hidden elements (clickjacking), or disrupt the intended functionality and accessibility of the website. This vulnerability is fixed in 1.20.1. | |||||