Vulnerable to clickjacking in cockpit-hq/cockpit

Valid

Reported on

Feb 9th 2023


Description

Vulnerable to clickjacking

Proof of Concept

  1. Create an iframe.html with below contents

<!DOCTYPE html>

<html>

<body>

<h1>The iframe element</h1>

<iframe src="https://localhost/Cockpit/" title="iframe test"> </iframe>

</body>

</html>

  1. Open with firefox and note that the frame is loaded which is potential to clickjacking due to missing x-frame-options security headers

Impact

This vulnerability is capable of clickjacking which allow an attacker can create an invisible iframe

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. 2 months ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back 2 months ago
Artur validated this vulnerability 2 months ago
Joshua Chan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.3.9-dev with commit 8450bd 2 months ago
Artur has been awarded the fix bounty
This vulnerability has been assigned a CVE
Artur published this vulnerability 2 months ago
to join this conversation