144 matches found
Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
The Mozilla Foundation Security Advisory describes this flaw as: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link...
Mozilla: Browser window spoof using fullscreen mode
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when exiting fullscreen mode, an iframe could have confused the browser about the current state of the fullscreen, resulting in potential user confusion or spoofing attacks...
CVE-2022-28649
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description...
Github clash 访问控制错误漏洞
Github clash is a rule-based tunnel in Go. A security vulnerability exists in Github clash, which can be exploited by embedding a malicious iframe page into a website with a crafted URL that launches the Clash Windows client and forces it to open a remote SMB share. Windows will perform NTLM...
The vulnerability of the iframe element in Mozilla Firefox allows a violator to circumvent the imposed security restrictions.
The vulnerability of the iframe element in Mozilla Firefox and the Mozilla Thunderbird email client is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to circumvent security restrictions by adding an iframe element with a JavaScript event to the...
PT-2022-6694 · Schneider Electric · Ecostruxure Ev Charging Expert
Name of the Vulnerable Software and Affected Versions: EcoStruxure EV Charging Expert versions prior to V4.0.0.13 Description: A vulnerability exists that could cause unintended modifications of the product settings or user accounts when deceiving the user to use the web interface rendered within...
多款Schneider Electric产品安全漏洞
Schneider Electric EVlink City and others are a charging solution for electric vehicle charging stations from Schneider Electric, a French company. A security vulnerability exists in several Schneider Electric products that originates when a user is induced to use a web interface rendered in...
Collabora Online 跨站脚本漏洞
Collabora Online is an application from Collabora. A powerful LibreOffice-based online office that supports all major document, spreadsheet and presentation file formats. Collabora Online suffers from a cross-site scripting vulnerability that stems from a lack of escaping and filtering of...
Cross-site Scripting (XSS) - Reflected in erikdubbelboer/phpredisadmin
✍️ Description The application is vulnerable to XFS attack. 🕵️♂️ Proof of Concept Navigate to https://domain.tld/phpRedisAdmin/?https://www.eia.gov/state/maps The page https://www.eia.gov/state/maps.php will be loaded in an iframe on the page. 💥 Impact Cross-Frame Scripting XFS is an attack that...
IBM Sterling Connect 安全漏洞
IBM Sterling Connect: Direct is a file-based peer-to-peer file transfer solution from IBM, U.S.A. A clickjacking vulnerability exists in IBM Sterling Connec versions 1.4.1.1 and 1.5.0.2, which stems from a program that does not adequately protect HTML iframes. A remote attacker could exploit The...
The vulnerability in the isolated environment of the Google Chrome browser’s iframe allows a perpetrator to compromise data integrity.
The vulnerability in the isolated iframe environment of Google Chrome relates to improper security checks for standard elements. Exploiting this vulnerability allows a remote attacker to compromise data integrity...
Containous Traefik Security Vulnerability
Containous Traefik is a reverse proxy and load balancer from Containous USA. A security vulnerability exists in Containous Traefik. The vulnerability stems from the software allowing IFRAME to be loaded from other domains.The following products and versions are affected:Containous Traefik 2.4.3...
CVE-2019-9558
Mailtraq WebMail version 2.17.7.3550 has Persistent Cross Site Scripting XSS via the body of an e-mail message. To exploit the vulnerability, the victim must open an email with malicious Javascript inserted into the body of the email as an iframe...
The vulnerabilities of Mozilla Firefox, Firefox ESR, and the email client Thunderbird are related to deficiencies in the implementation of SOP (Same-origin policy). These vulnerabilities allow attackers to gain unauthorized access to protected information.
The vulnerabilities of Mozilla Firefox, Firefox ESR, and the email client Thunderbird are related to deficiencies in the implementation of SOP Same-origin policy. Exploiting these vulnerabilities can allow an attacker, operating remotely, to gain unauthorized access to protected information using...
UBUNTU-CVE-2017-7815
On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the dialog's location, spoofing of the origin of the modal dialog from the user view. Note: This attack only affects installations with e10 multiproce...
chromium-browser: csp referrer disclosure
Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled iframes, which allowed a remote attacker to bypass a no-referrer policy via a crafted HTML page...
Wordpress plugin iframe cross-site scripting vulnerability
WordPress is the WordPress Software Foundation of a set of blogging platform developed using the PHP language, the platform supports PHP and MySQL servers to set up a personal blog site. iframe plugin is a pop-up layer allowing external URLs to be loaded into the iframe page plugin . A cross-site...
Eliacom Enhanced SQL Portal 'iframe.php' Cross-Site Scripting Vulnerability
Eliacom Enhanced SQL Portal is a database management system. A cross-site scripting vulnerability in Eliacom Enhanced SQL Portal allows remote attackers to exploit the vulnerability to inject malicious script or HTML code, which can be used to gain access to sensitive information or hijack user...
chromium-browser: Cross-origin-bypass in HTML parser
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element...
UBUNTU-CVE-2014-1586
content/base/src/nsDocument.cpp in Mozilla Firefox before 33.0, Firefox ESR 31.x before 31.2, and Thunderbird 31.x before 31.2 does not consider whether WebRTC video sharing is occurring, which allows remote attackers to obtain sensitive information from the local camera in certain IFRAME...