Adobe Flash Player issue where iframe contents may be overwritten

Overview Adobe Flash Player contains an issue where the same-origin policy may be bypassed leading to iframe contents being overwritten. Tokuji Akamine reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact...

JVN#22533124: Adobe Flash Player issue where iframe contents may be overwritten

Adobe Flash Player contains an issue where the same-origin policy may be bypassed leading to iframe contents being overwritten. Impact Processing specially crafted Flash content may lead to iframe contents being overwritten. Solution Apply an Update Update to the latest version according to the...

CVE-2015-7207

Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a...

UBUNTU-CVE-2015-7207

Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a...

Intellect Core Cross Site Scripting Vulnerability

Intellect Core banking software suffers from a cross site scripting vulnerability. Vendor: ==================== Intellect Design Arena Polaris Product: =================== Intellect Core banking software Armar module Vulnerability Type: ========================== Cross site scripting - XSS CVE...

Khan Academy: Escaping the iframe via exceptions

You can throw an object with an html property to run arbitrary js Here is an example program that modifies a user's profile. I made the program as private as possible by saving it with nouser and drawing nothing in the hopes that it will be ignored, but if you want me to delete it, I will. The...

kolhapurhelpline.com IFRAME Injection vulnerability

Vulnerable URL: http://www.kolhapurhelpline.com/website.php?website=https://www.xssposed.org/ Details: Description| Value ---|--- Patched:| No Latest check for patch:| 26.07.2017 Vulnerability type:| IFRAME Injection Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not calculated...

CVE-2015-6374

The CVE-2015-6374 vulnerability affects Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices, where the web interface inadequately restricts IFRAME usage. The root cause is insufficient input sanitization of iframe data in HTTP requests, enabling remote attackers to pe...

Cisco Firepower 9000 Series Switch Clickjacking Vulnerability

A vulnerability in the web interface of the Cisco Firepower 9000 Series Switch could allow an unauthenticated, remote attacker to affect the integrity of the device though a clickjacking or phishing attack. The vulnerability is due to the lack of proper input sanitization of iFrame data in the HT...

Android Browser应用程序拒绝服务漏洞

Android 4.0.3浏览器应用不正确处理特殊的URI，允许攻击者在IFRAME元素SRC属性中使用特制的market: URI并诱使应用程序解析，可使应用程序崩溃。 测试方法 var mframe = ""; forvar i = 0; i...

CVE-2007-5896

Mozilla Firefox 2.0.0.9 allows remote attackers to cause a denial of service CPU consumption and crash via an iframe with Javascript that sets the document.location to contain a leading NULL byte \x00 and a 1 res://, 2 about:config, or 3 file:/// URI...

Red Hat Enterprise Application Platform Clickjacking Attack Vulnerability

Red Hat Enterprise Application Platform is the United States Red Hat Red Hat, Inc. of a set of open source, J2EE-based middleware platform, which is mainly used to build, deploy and host Java applications and services. A clickjacking attack vulnerability exists in Red Hat Enterprise Application...

AS/WildFly: missing X-Frame-Options header leading to clickjacking

It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console clickjacking...

AS/WildFly: missing X-Frame-Options header leading to clickjacking

It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console clickjacking...

Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.4 update

Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.4 and fix three security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. Common...

AS/WildFly: missing X-Frame-Options header leading to clickjacking

It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console clickjacking...

CVE-2015-1303

Removed by vendor...

chromium-browser: Cross-origin bypass in DOM

bindings/core/v8/V8DOMWrapper.h in Blink, as used in Google Chrome before 45.0.2454.101, does not perform a rethrow action to propagate information about a cross-context exception, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document containing an IFRAME...

UBUNTU-CVE-2015-1303

bindings/core/v8/V8DOMWrapper.h in Blink, as used in Google Chrome before 45.0.2454.101, does not perform a rethrow action to propagate information about a cross-context exception, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document containing an IFRAME...

X2Engine 4.2 Cross Site Request Forgery

Vulnerability title: Cross-Site Request Forgery In X2Engine Inc. X2Engine CVE: CVE-2015-5075 Vendor: X2Engine Inc. Product: X2Engine Affected version: 4.2 Fixed version: 5.2 Reported by: Simone Quatrini Details: It was discovered that no protection against Cross-site Request Forgery attacks was...