CWE-1021

Improper Restriction of Rendered UI Layers or Frames

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.

388 vulnerabilities with CWE-1021
CVE-2025-1019 MEDIUM
Firefox < 135.0 and Thunderbird 131.0-134.0 - UI Spoofing via Fullscreen Notification Z-Order Manipulation
CVSS 4.3
CVE-2025-1018 MEDIUM
Firefox < 135.0 - UI Spoofing via Premature Fullscreen Notification Hiding
CVSS 5.3
CVE-2024-13066 MEDIUM
LimonDesk s1.02.14-v1.02.17 - Clickjacking via iFrame Overlay
CVSS 4.3
CVE-2024-49796 MEDIUM
IBM ApplinX 11.1 - Clickjacking
CVSS 5.4
CVE-2024-6466 MEDIUM
NEC WebSAM DeploymentManager 6.0-6.80 - SSRF
CVSS 5.3
CVE-2024-57369 MEDIUM
typecho 1.2.1 - Clickjacking
CVSS 6.4
CVE-2024-56436 MEDIUM
HarmonyOS - Cross-Process Screen Stack Vulnerability in UIExtension Module
CVSS 5.5
CVE-2024-56435 MEDIUM
HarmonyOS - Cross-Process Screen Stack Vulnerability in UIExtension Module
CVSS 6.2
CVE-2024-55888 HIGH
Hush Line <0.3.5 - CSRF
CVSS 7.1
CVE-2024-54112 MEDIUM
HarmonyOS - Cross-Process Screen Stack Vulnerability in UIExtension Module
CVSS 5.5
CVE-2024-54110 MEDIUM
HarmonyOS - Cross-Process Screen Stack Vulnerability in UIExtension Module
CVSS 6.2
CVE-2024-53976 MEDIUM
Firefox for iOS < 133 - Info Disclosure
CVSS 5.4
CVE-2024-11700 HIGH
Firefox < 133 and Thunderbird < 133 - Tapjacking via UI Layer Manipulation
CVSS 8.1
CVE-2024-11695 MEDIUM
Firefox < 133 & Thunderbird < 128.5 - Open Redirect
CVSS 5.4
CVE-2024-7404 MEDIUM
GitLab CE/EE <17.3.7-17.5.2 - Privilege Escalation
CVSS 6.8
CVE-2024-43084 MEDIUM
Android - Local Information Disclosure via Confused Deputy in visitUris
CVSS 5.5
CVE-2024-10454 MEDIUM
Clibo Manager 1.1.9.12 - Clickjacking in Login Panel via Missing X-Frame-Options Header
CVSS 6.1
CVE-2024-10004 CRITICAL
Firefox for iOS < 131.2 - Info Disclosure
CVSS 9.1
CVE-2024-9397 MEDIUM
Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3 - CSRF
CVSS 6.1
CVE-2024-8388 MEDIUM
Firefox < 130.0 - UI Spoofing via Fullscreen Transition Notification Obscuring
CVSS 5.3
CVE-2024-34743 HIGH
SurfaceFlinger - Privilege Escalation
CVSS 7.8
CVE-2024-7523 HIGH
Firefox < 129 (Android) - UI Spoofing via Select Option Overlay
CVSS 8.1
CVE-2024-7518 MEDIUM
Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1 - UI Spoofing via Fullscreen Notification Obscuring
CVSS 6.5
CVE-2024-39320 MEDIUM
Discourse < 3.2.5 - Unauthenticated iframe Injection via Allowed Iframes Bypass
CVSS 6.1
CVE-2024-40817 MEDIUM
macOS Sonoma <14.6 - Info Disclosure
CVSS 6.1
Details
Vulnerabilities 388
Links
MITRE CWE Entry Search this CWE With Exploits