Vulnerable to clickjacking in cockpit-hq/cockpit
Valid
Reported on
Feb 9th 2023
Description
Vulnerable to clickjacking
Proof of Concept
- Create an iframe.html with below contents
<!DOCTYPE html>
<html>
<body>
<h1>The iframe element</h1>
<iframe src="https://localhost/Cockpit/" title="iframe test"> </iframe>
</body>
</html>
- Open with firefox and note that the frame is loaded which is potential to clickjacking due to missing x-frame-options security headers
Impact
This vulnerability is capable of clickjacking which allow an attacker can create an invisible iframe
We are processing your report and will contact the
cockpit-hq/cockpit
team within 24 hours.
3 months ago
We have contacted a member of the
cockpit-hq/cockpit
team and are waiting to hear back
3 months ago
The researcher's credibility has increased: +7
to join this conversation