4.3
CVE-2021-3660
- EPSS 1.24%
- Veröffentlicht 10.03.2022 17:42:55
- Zuletzt bearbeitet 21.11.2024 06:22:05
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cockpit-project ≫ Cockpit Version < 254
Redhat ≫ Enterprise Linux Version8.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.24% | 0.656 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-1021 Improper Restriction of Rendered UI Layers or Frames
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.
https://bugzilla.redhat.com/show_bug.cgi?id=1980688
https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10
https://github.com/cockpit-project/cockpit/issues/16122