Vulnerabilities > CVE-2021-3660
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
Vulnerable Configurations
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1980688
- https://bugzilla.redhat.com/show_bug.cgi?id=1980688
- https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10
- https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10
- https://github.com/cockpit-project/cockpit/issues/16122
- https://github.com/cockpit-project/cockpit/issues/16122