Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1021 (不当限制渲染UI层或帧) — Vulnerability Class 110

110 vulnerabilities classified as CWE-1021 (不当限制渲染UI层或帧). AI Chinese analysis included.

CWE-1021 represents a critical web application weakness where the system fails to properly restrict frame objects or user interface layers belonging to external applications or domains. This vulnerability is typically exploited through clickjacking attacks, where malicious actors embed the target application within an invisible or deceptive iframe on a different domain. By tricking users into interacting with hidden UI elements, attackers can perform unauthorized actions, such as transferring funds or changing account settings, without the user’s explicit consent or awareness. To mitigate this risk, developers must implement robust security headers, specifically the Content-Security-Policy (CSP) frame-ancestors directive, which explicitly defines which origins are permitted to embed the application. Additionally, setting the X-Frame-Options header to DENY or SAMEORIGIN provides an effective defense by preventing the browser from rendering the page within any frame unless it originates from the same domain, thereby neutralizing the attack vector.

MITRE CWE Description
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
Common Consequences (1)
Access ControlGain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data
An attacker can trick a user into performing actions that are masked and hidden from the user's view. The impact varies widely, depending on the functionality of the underlying application. For example, in a social media application, clickjacking could be used to trick the user into changing privacy…
Mitigations (4)
ImplementationThe use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content. The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for allowing frames from multip…
ImplementationA developer can use a "frame-breaker" script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned. It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The "frame-breaking" script does no…
ImplementationThis defense-in-depth technique can be used to prevent the improper usage of frames in web applications. It prioritizes the valid sources of data to be loaded into the application through the usage of declarative policies. Based on which implementation of Content Security Policy is in use, the developer should use the "frame-ancestors" directive or the "frame-src" directive to mitigate this weakne…
ImplementationIn addition to frames or iframes as previously mentioned, the web application is expected to place restrictions on whether it is allowed to be rendered within objects, embed, or applet elements.
CVE IDTitleCVSSSeverityPublished
CVE-2026-3254 Improper Restriction of Rendered UI Layers or Frames in GitLab — GitLab 3.5 Low2026-04-22
CVE-2026-2378 Address bar spoofing risk in ArcSearch on Android — ArcSearch 7.4 High2026-03-20
CVE-2025-62328 HCL Nomad server on Domino is affected by a missing default frame-ancestors directive — Nomad server on Domino 3.7 Low2026-03-11
CVE-2025-58405 Lack of protection mechanisms against Clickjacking attacks — CGM CLININET 6.5AIMediumAI2026-03-02
CVE-2026-27511 Tenda F3 Clickjacking in Web Management Interface — Tenda F3 4.3 Medium2026-02-23
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments — xwiki-platform 4.1AIMediumAI2026-02-12
CVE-2026-24839 Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors headers — dokploy 4.7 Medium2026-01-28
CVE-2026-23731 WeGIA Clickjacking Vulnerability — WeGIA 4.3 Medium2026-01-16
CVE-2025-15032 CVE-2025-15032: Increased Spoofing risk; custom new window missing about:blank — Dia 7.4 High2026-01-16
CVE-2025-52987 Paragon Automation: A clickjacking vulnerability in the web server configuration has been addressed — Paragon Automation (Pathfinder, Planner, Insights) 6.1 Medium2026-01-15
CVE-2026-22918 SICK TDC-X401GL 安全漏洞 — TDC-X401GL 4.3 Medium2026-01-15
CVE-2025-14809 Address bar spoofing risk in ArcSearch on Android — ArcSearch 7.4 High2025-12-19
CVE-2025-14812 Address bar spoofing risk in Arc Search on iOS — ArcSearch 7.5 High2025-12-19
CVE-2025-59849 HCL BigFix Remote Control is vulnerable to an insecure CSP configuration — BigFix Remote Control 4.7 Medium2025-12-17
CVE-2025-59479 Inaba Denki Sangyo CHOCO TEI WATCHER mini 安全漏洞 — CHOCO TEI WATCHER mini (IB-MCT001) 8.8AIHighAI2025-12-16
CVE-2025-36149 IBM Concert Software clickjacking — IBM Concert Software 6.3 Medium2025-11-21
CVE-2025-13132 Dia: Increased Spoof Risk; Missing full screen toast — Dia 7.4 High2025-11-21
CVE-2025-0421 iFrame Injection in Mikrogrup's Shopside — Shopside 4.7 Medium2025-11-19
CVE-2025-64387 CLICKJACKING — TCPRS1plus 6.1 -2025-10-31
CVE-2025-30191 Open-Xchange OX App Suite 安全漏洞 — OX App Suite 5.4 Medium2025-10-31
CVE-2025-59950 FreshRSS: Double clickjacking can lead to privilege escalation — FreshRSS 6.7 Medium2025-09-29
CVE-2024-13066 iFrame Injection in Akinsoft's LimonDesk — LimonDesk 4.3 Medium2025-09-03
CVE-2025-41000 Cross-Frame Scripting (XFS) in BoomCMS — BoomCMS 6.1AIMediumAI2025-09-03
CVE-2025-1494 IBM Cognos Command Center clickjacking — Cognos Command Center 6.1 Medium2025-08-26
CVE-2025-9108 Portabilis i-Diario Login Page ui layer — i-Diario 4.3 Medium2025-08-18
CVE-2025-54527 JetBrains YouTrack 安全漏洞 — YouTrack 6.1 Medium2025-07-28
CVE-2025-54139 HAX CMS' application pages are vulnerable to clickjacking — issues 4.3 Medium2025-07-22
CVE-2025-7903 yangzongzhuan RuoYi Image Source ui layer — RuoYi 4.3 Medium2025-07-20
CVE-2025-6983 Clickjacking vulnerability on the management web application of TP-LINK Archer C1200 — Archer C1200 4.3AIMediumAI2025-07-16
CVE-2025-27455 CVE-2025-27455 — Endress+Hauser MEAC300-FNADE4 4.3 Medium2025-07-03

Vulnerabilities classified as CWE-1021 (不当限制渲染UI层或帧) represent 110 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.