Web Application Potentially Vulnerable to Clickjacking

The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area...

Clickjacking

Overview Affected versions of this package are vulnerable to Clickjacking. By enabling the SVG setting without taking other precautions, you might expose your application to click-hijacking attacks. In these attacks, sanitized SVG elements could be positioned outside of the containing element and...

CVE-2015-1980

IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors...

Code injection

IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors...

CVE-2015-1980

IBM InfoSphere Master Data Management - Collaborative Edition vulnerable to clickjacking on versions 9.1, 10.1, 11.0, 11.3, 11.4 prior to FP03. Exploitation could allow remote authenticated users to hijack the victim’s click actions via crafted HTTP requests or malicious sites. Affected versions ...

CVE-2015-1980

IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors...

CVE-2015-4266

The web interface in Cisco Identity Services Engine ISE 1.14.1, 1.3106.146, and 1.3120.135 does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame...

Cross site scripting

The web interface in Cisco Identity Services Engine ISE 1.14.1, 1.3106.146, and 1.3120.135 does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame...

CVE-2015-4266

CVE-2015-4266 affects Cisco Identity Services Engine (ISE) web interface: ISE 1.1(4.1), 1.3(106.146), and 1.3(120.135) are vulnerable due to insufficient iframe protection, enabling cross-frame scripting (XFS)/clickjacking via a crafted site. Impact is remote, unauthenticated browser attacks (cli...

CVE-2015-4266

The web interface in Cisco Identity Services Engine ISE 1.14.1, 1.3106.146, and 1.3120.135 does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame...

CollabNet Subversion Edge missing clickjacking protection

Vuln Title: The CollabNet Subversion Edge Management Frontend does not implement clickjacking protection Date: 28.06.2015 Author: otr Software Link: https://www.open.collab.net/downloads/svnedge Vendor: CollabNet Version: 4.0.11 Tested on: Fedora Linux Type: Clickjacking Risk: Medium Status:...

Multiple Blue Coat Systems SSL Visibility Appliance Products Incorrectly Enter Authentication Vulnerabilities

Blue Coat Systems SSL Visibility Appliance SV800 and others are products of Blue Coat Systems, U.S.A. The Blue Coat SSL Visibility Appliance SV800 is a management platform that provides complete visibility into encrypted traffic. The appliance offers features such as a dedicated encrypted traffic...

Coinbase: OAuth authorization page vulnerable to clickjacking

Due to a misconfiguration, the 'authorize' button on the OAuth authorization page was vulnerable to clickjacking. The bug was fixed by ensuring our OAuth-related responses included the same security headers including X-Frame-Options as the rest of the site...

McAfee Agent 4.6.x < 4.8.0.1938 / 5.0.x < 5.0.1 Log View Clickjacking (SB10094)

According to its self-reported version, the McAfee Agent MA running on the remote host is 4.6.x prior to 4.8.0.1938 or 5.0.x prior to 5.0.1. It is, therefore, affected by a clickjacking vulnerability in the log viewing feature due to improper validation of user-supplied input. A remote attacker c...

McAfee Managed Agent 4.6.x < 4.8.0.1938 / 5.0.x < 5.0.1 Log View Clickjacking (SB10094) (credentialed check)

According to its self-reported version number, the remote host has a version of McAfee Agent MA installed that is 4.6.x prior to 4.8.0.1938 or 5.0.x prior to 5.0.1. It is, therefore, affected by a clickjacking vulnerability in the log viewing feature due to improper validation of user-supplied...

CVE-2015-2854

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element...

Design/Logic Flaw

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element...

CVE-2015-2854

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element...

CVE-2015-2854

The CVE-2015-2854 entry concerns Blue Coat SSL Visibility Appliance WebUI (SV800, SV1800, SV2800, SV3800) versions 3.6.x–3.8.3. The root cause is improper X-Frame-Options handling in the WebUI, failing to enforce same-origin policy and enabling clickjacking via crafted IFRAMEs. Impact is remote, ...

Legal Robot: Missing security headers, possible clickjacking

Security researcher discovered missing headers, including x-frame-options and content-security-policy...