Total
313 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24874 | 2025-02-18 | N/A | 6.8 MEDIUM | ||
| SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information. | |||||
| CVE-2024-49796 | 1 Ibm | 1 Applinx | 2025-02-13 | N/A | 5.4 MEDIUM |
| IBM ApplinX 11.1 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | |||||
| CVE-2025-1019 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-06 | N/A | 4.3 MEDIUM |
| The z-order of the browser windows could be manipulated to hide the fullscreen notification. This could potentially be leveraged to perform a spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135. | |||||
| CVE-2025-1018 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-02-06 | N/A | 5.3 MEDIUM |
| The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability affects Firefox < 135 and Thunderbird < 135. | |||||
| CVE-2024-6466 | 2025-01-21 | N/A | 5.3 MEDIUM | ||
| NEC Corporation's WebSAM DeploymentManager v6.0 to v6.80 allows an attacker to reset configurations or restart products via network with X-FRAME-OPTIONS is not specified. | |||||
| CVE-2023-25730 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-01-10 | N/A | 5.4 MEDIUM |
| A background script invoking <code>requestFullscreen</code> and then blocking the main thread could force the browser into fullscreen mode indefinitely, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8. | |||||
| CVE-2023-25748 | 1 Mozilla | 1 Firefox | 2025-01-09 | N/A | 4.3 MEDIUM |
| By displaying a prompt with a long description, the fullscreen notification could have been hidden, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 111. | |||||
| CVE-2023-28159 | 1 Mozilla | 1 Firefox | 2025-01-09 | N/A | 4.3 MEDIUM |
| The fullscreen notification could have been hidden on Firefox for Android by using download popups, resulting in potential user confusion or spoofing attacks. <br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 111. | |||||
| CVE-2023-2013 | 1 Gitlab | 1 Gitlab | 2025-01-07 | N/A | 2.6 LOW |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. | |||||
| CVE-2024-29981 | 1 Microsoft | 1 Edge Chromium | 2025-01-06 | N/A | 4.3 MEDIUM |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
| CVE-2024-31323 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
| In onCreate of multiple files, there is a possible way to trick the user into granting health permissions due to tapjacking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-34743 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
| In setTransactionState of SurfaceFlinger.cpp, there is a possible way to perform tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2024-7404 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.8 MEDIUM |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow. | |||||
| CVE-2024-2177 | 1 Gitlab | 1 Gitlab | 2024-12-12 | N/A | 6.8 MEDIUM |
| A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. | |||||
| CVE-2024-55888 | 2024-12-12 | N/A | 7.1 HIGH | ||
| Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue. | |||||
| CVE-2024-26167 | 1 Microsoft | 1 Edge | 2024-11-29 | N/A | 4.3 MEDIUM |
| Microsoft Edge for Android Spoofing Vulnerability | |||||
| CVE-2023-34658 | 1 Telegram | 1 Telegram | 2024-11-27 | N/A | 5.3 MEDIUM |
| Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController. | |||||
| CVE-2023-7013 | 1 Google | 1 Chrome | 2024-11-25 | N/A | 4.7 MEDIUM |
| Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2024-3911 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| An unauthenticated remote attacker can deceive users into performing unintended actions due to improper restriction of rendered UI layers or frames. | |||||
| CVE-2024-39320 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 6.1 MEDIUM |
| Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5. | |||||