Vulnerabilities > CVE-2021-3660 - Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
LOW
Availability impact
NONE
network
low complexity
cockpit-project
redhat
CWE-1021

Summary

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

Vulnerable Configurations

Part Description Count
Application
Cockpit-Project
222
OS
Redhat
1