Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2734: UI REDRESSING in openemr

Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.

CVE
Open in Source
#web#git#php

Description

Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks users to perform unintended actions on vulnerable website, thinking they are doing those on attacker’s website. Clickjacking, also known as a "UI redress attack".

Proof of Concept

1. Go to this URL: http://web.clickjacker.io/test?url=http:%2F%2Fdemo.openemr.io%2Fopenemr%2Finterface%2Flogin%2Flogin.php%3Fsite%3Ddefault
2. Observe that the website is getting embeded in an Iframe.
3. Observe that the headers x-frame-options and content-security-policy frame ancestors are missing.

Impact

Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.

References

  • https://huntr.dev/bounties/a9ec1eef-98a0-4201-85ea-b111b3e86246/
  • https://cwe.mitre.org/data/definitions/1021.html
  • https://huntr.dev/bounties/47cc6621-2474-40f9-ab68-3cf62389a124/

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE