UI REDRESSING in unilogies/bumsys


Reported on

Feb 25th 2023


The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with

Steps To Reproduce

1. Create a New HTML file as shown in below i.e Test.html
2. Put `<iframe src="http://demo.bumsys.org/" width="1000" height="1000"></iframe>`
3. Save the File
4. Open the File(Test.html) in Browser(i.e Firefox )

File : Test.html

<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Clickjacking Attack</title>
    <p>This Page is Vulnerable to Clickjacking</p>
<iframe src="http://demo.bumsys.org/" width="1000" height="1000"></iframe>

Proof of Concept



It's important to implement the X-Frame-Options header, using a content security policy (CSP), and enabling browser features like Framebusting.


Attackers can use clickjacking to redirect users to a fake login page that looks exactly like the real one. They can then steal users' login credentials, leading to unauthorized access to their accounts.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. 25 days ago
We have contacted a member of the unilogies/bumsys team and are waiting to hear back 24 days ago
Khurshid Alam validated this vulnerability 23 days ago
ctflearner has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Khurshid Alam marked this as fixed in v2.0.2 with commit 8c5b27 18 days ago
Khurshid Alam has been awarded the fix bounty
This vulnerability will not receive a CVE
Khurshid Alam published this vulnerability 18 days ago
18 days ago


@khurshid Alam can you assign CVE for this

Khurshid Alam
17 days ago

@admin, Please assign a CVE. Thank you.

Ben Harvie
10 days ago


CVE assigned as requested:)

to join this conversation