Improper Restriction of Rendered UI Layers or Frames in aces/loris


Reported on

Sep 24th 2021


It is possible to perform a clickjacking attack due to the lack of frame restrictions such as X-Frame-Options: DENY

Proof of Concept

Tested ::


Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website

We have contacted a member of the aces/loris team and are waiting to hear back a year ago
0xdhinu modified the report
a year ago
Dave MacFarlane validated this vulnerability a year ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dave MacFarlane marked this as fixed with commit 82b504 a year ago
Dave MacFarlane has been awarded the fix bounty
This vulnerability will not receive a CVE
Dave MacFarlane
a year ago


This should be fixed by (CSP was used instead of X-Frame-Options, though it still needs to be pushed to

to join this conversation