CVE-2021-3660: Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside…

CVE-2021-3660 [MEDIUM] CWE-1021 Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an <iFrame> HTML entry. This may be used Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to addi

CVE-2021-3660 [MEDIUM] CWE-1021 cockpit: pages vulnerable to clickjacking cockpit: pages vulnerable to clickjacking Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks. Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks. Statement: In cockpit versions 236 and above (Red Hat Enterprise Linux 8.4 and above), this flaw should not be exploitable, as the session cookie has the `SameSite=Strict;` option enabled, preventing the Web Browsers to reuse it from 3rd party web sites

CVE-2021-3660 [MEDIUM] CVE-2021-3660: cockpit - Cockpit (and its plugins) do not seem to protect itself against clickjacking. It... Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks. Scope: local bookworm: resolved (fixed in 254-1) bullseye: open forky: resolved (fixed in 254-1) sid: resolved (fixed in 254-1) trixie: resolved (fixed in 254-1)

CVE-2021-3660 [MEDIUM] CWE-1021 GHSA-5m9v-2hhc-h2wj: Cockpit (and its plugins) do not seem to protect itself against clickjacking Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

CVE-2021-3660 [MEDIUM] CVE-2021-3660: Cockpit (and its plugins) do not seem to protect itself against clickjacking Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.

CVE-2021-3642 [MEDIUM] CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Reference: https://issues.redhat.com/browse/ELY-2147 Discussion: This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2021:3656 https://access.redhat.com/errata/RHSA-2021:3656 --- This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2021:3658 https://access.redhat.com/errata/RHSA-2021:3658 --- This issue has been addressed in the following products: EAP 7.4.1 release Via RHSA-2021:3660 https://access.red