目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-1021 不当限制渲染UI层或帧 类漏洞列表 110

CWE-1021 不当限制渲染UI层或帧 类弱点 110 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1021属于界面层限制不当漏洞,指Web应用未正确限制来自其他应用或域名的框架对象及UI层。攻击者常利用此缺陷,通过嵌入恶意iframe或覆盖合法界面,实施点击劫持或内容注入,诱导用户交互以窃取数据或执行未授权操作。开发者应避免直接嵌入不可信源,通过设置X-Frame-Options响应头或Content-Security-Policy策略,严格限制页面被帧嵌入的范围,从而有效隔离不同域名的UI层,保障用户界面完整性。

MITRE CWE 官方描述
CWE:CWE-1021 渲染 UI 层或框架的限制不当 英文:Web 应用程序未对属于其他应用程序或域名的 frame 对象或 UI 层进行限制,或限制不当。
常见影响 (1)
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data
An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trick the user into changing privacy…
缓解措施 (4)
ImplementationThe use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content. The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for allowing frames from multip…
ImplementationA developer can use a "frame-breaker" script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned. It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The "frame-breaking" script does no…
ImplementationThis defense-in-depth technique can be used to prevent the improper usage of frames in web applications. It prioritizes the valid sources of data to be loaded into the application through the usage of declarative policies. Based on which implementation of Content Security Policy is in use, the developer should use the "frame-ancestors" directive or the "frame-src" directive to mitigate this weakne…
ImplementationIn addition to frames or iframes as previously mentioned, the web application is expected to place restrictions on whether it is allowed to be rendered within objects, embed, or applet elements.
CVE ID标题CVSS风险等级Published
CVE-2026-3254 GitLab CE/EE 安全漏洞 — GitLab 3.5 Low2026-04-22
CVE-2026-2378 ArcSearch 安全漏洞 — ArcSearch 7.4 High2026-03-20
CVE-2025-62328 HCL Nomad Server 安全漏洞 — Nomad server on Domino 3.7 Low2026-03-11
CVE-2025-58405 CGM CLININET 安全漏洞 — CGM CLININET 6.5AIMediumAI2026-03-02
CVE-2026-27511 Tenda F3 安全漏洞 — Tenda F3 4.3 Medium2026-02-23
CVE-2026-26000 XWiki Platform 安全漏洞 — xwiki-platform 4.1AIMediumAI2026-02-12
CVE-2026-24839 Dokploy 安全漏洞 — dokploy 4.7 Medium2026-01-28
CVE-2026-23731 WeGIA 安全漏洞 — WeGIA 4.3 Medium2026-01-16
CVE-2025-15032 Dia 安全漏洞 — Dia 7.4 High2026-01-16
CVE-2025-52987 Juniper Networks Paragon Automation 安全漏洞 — Paragon Automation (Pathfinder, Planner, Insights) 6.1 Medium2026-01-15
CVE-2026-22918 SICK TDC-X401GL 安全漏洞 — TDC-X401GL 4.3 Medium2026-01-15
CVE-2025-14809 Browser Company ArcSearch 安全漏洞 — ArcSearch 7.4 High2025-12-19
CVE-2025-14812 Browser Company ArcSearch 安全漏洞 — ArcSearch 7.5 High2025-12-19
CVE-2025-59849 HCL BigFix Remote Control 安全漏洞 — BigFix Remote Control 4.7 Medium2025-12-17
CVE-2025-59479 Inaba Denki Sangyo CHOCO TEI WATCHER mini 安全漏洞 — CHOCO TEI WATCHER mini (IB-MCT001) 8.8AIHighAI2025-12-16
CVE-2025-36149 IBM Concert Software 安全漏洞 — IBM Concert Software 6.3 Medium2025-11-21
CVE-2025-13132 The Browser Company of New York Dia 安全漏洞 — Dia 7.4 High2025-11-21
CVE-2025-0421 Shopside App 安全漏洞 — Shopside 4.7 Medium2025-11-19
CVE-2025-64387 Circutor TCPRS1plus 安全漏洞 — TCPRS1plus 6.1 -2025-10-31
CVE-2025-30191 Open-Xchange OX App Suite 安全漏洞 — OX App Suite 5.4 Medium2025-10-31
CVE-2025-59950 FreshRSS 安全漏洞 — FreshRSS 6.7 Medium2025-09-29
CVE-2024-13066 LimonDesk 安全漏洞 — LimonDesk 4.3 Medium2025-09-03
CVE-2025-41000 BoomCMS 安全漏洞 — BoomCMS 6.1AIMediumAI2025-09-03
CVE-2025-1494 IBM Cognos Command Center 安全漏洞 — Cognos Command Center 6.1 Medium2025-08-26
CVE-2025-9108 Portabilis i‑Diário 安全漏洞 — i-Diario 4.3 Medium2025-08-18
CVE-2025-54527 JetBrains YouTrack 安全漏洞 — YouTrack 6.1 Medium2025-07-28
CVE-2025-54139 NodeJS 安全漏洞 — issues 4.3 Medium2025-07-22
CVE-2025-7903 RuoYi 安全漏洞 — RuoYi 4.3 Medium2025-07-20
CVE-2025-6983 TP-LINK Archer C1200 安全漏洞 — Archer C1200 4.3AIMediumAI2025-07-16
CVE-2025-27455 Endress+Hauser MEAC300-FNADE4 安全漏洞 — Endress+Hauser MEAC300-FNADE4 4.3 Medium2025-07-03

CWE-1021(不当限制渲染UI层或帧) 是常见的弱点类别,本平台收录该类弱点关联的 110 条 CVE 漏洞。