Improper Restriction of Rendered UI Layers or Frames in namelessmc/nameless
Oct 14th 2021
Nameless is vulnerable to clickjacking because it does not have the X-Frame-Options header set to DENY or SAMEORIGIN (only nginx proxy has it).
This header is important because it prevents other websites from Iframing the website. If the website can be iframed, then the attacker can host a malicious iframe on their site and trick the user into pressing buttons which disables the forum etc.)
Proof of Concept
Open this HTML file in your browser to see that the website can
This vulnerability is capable of tricking the admin user into disabling or enabling the forum. etc.