CVE-2025-1021
published 2025-04-23CVE-2025-1021: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.47%
36.9th percentile
Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amauri | tarteaucitronjs | >= 0 < 1.20.1 | 1.20.1 |
| elmsln | haxcms | >= 0 < 11.0.8 | 11.0.8 |
| feehi | feehicms | 0 – 2.1.1 | — |
| gitlab | gitlab | — | — |
| gitlab | gitlab_ce | — | — |
| haxtheweb | haxcms-nodejs | >= 0 < 11.0.13 | 11.0.13 |
| haxtheweb | haxcms-nodejs | >= 0 < 11.0.0 | 11.0.0 |
| jupyter | nbgrader | >= 0.9.4 < 0.9.5 | 0.9.5 |
| msrc | azl3_mozjs_102.15.1-1_on_azure_linux_3.0 | — | — |
| msrc | cm1_cockpit_248-3_on_cbl_mariner_1.0 | — | — |
| synology | diskstation_manager | >= 7.1 < 7.1.1-42962-8 | 7.1.1-42962-8 |
| synology | diskstation_manager | >= 7.2.1 < 7.2.1-69057-7 | 7.2.1-69057-7 |
| synology | diskstation_manager | >= 7.2.1-69057 < 7.2.1-69057-7 | 7.2.1-69057-7 |
| synology | diskstation_manager | >= 7.2.2 < 7.2.2-72806-3 | 7.2.2-72806-3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_msrc6.1MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
FeehiCMS is vulnerable to reverse tabnabbing
ghsa·2025-12-01
CVE-2025-63522 [MEDIUM] CWE-1021 FeehiCMS is vulnerable to reverse tabnabbing
FeehiCMS is vulnerable to reverse tabnabbing
Reverse Tabnabbing vulnerability in FeehiCMS 2.1.1 in the Comments Management function
GHSA
HAX CMS application pages vulnerable to clickjacking
ghsa·2025-07-21
CVE-2025-54139 [MEDIUM] CWE-1021 HAX CMS application pages vulnerable to clickjacking
HAX CMS application pages vulnerable to clickjacking
### Summary
All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This applies to both the CMS and generated sites.
### PoC
To replicate this vulnerability, load the target page in an iframe and observe the rendered content.
### Impact
An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (Clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application.
GHSA
@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
ghsa·2025-06-09
CVE-2025-49139 [MEDIUM] CWE-1021 @haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
### Summary
In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL.
### Affected Resources
- [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868)
- `https:////system/api/saveNode`
### PoC
1. Set the URL in an iframe pointing to an attacker-controlled server running Responder
2. Once another user visits the site, they are prompted to sign in.
3. If a user inputs credentials, the username and password hash are outputted in Responder.
### Impact
An authenticated attacker can c
GHSA
GHSA-5h3w-59m5-q6wr: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7
ghsa_unreviewed·2025-04-23
CVE-2025-1021 [HIGH] CWE-862 GHSA-5h3w-59m5-q6wr: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7
Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.
GHSA
tarteaucitron.js allows UI manipulation via unrestricted CSS injection
ghsa·2025-04-07
CVE-2025-31138 [MEDIUM] CWE-1021 tarteaucitron.js allows UI manipulation via unrestricted CSS injection
tarteaucitron.js allows UI manipulation via unrestricted CSS injection
A vulnerability was identified in `tarteaucitron.js`, where user-controlled inputs for element dimensions (`width` and `height`) were not properly validated. This allowed an attacker with direct access to the site's source code or a CMS plugin to set values like `100%;height:100%;position:fixed;`, potentially covering the entire viewport and facilitating clickjacking attacks.
## Impact
An attacker with high privileges could exploit this vulnerability to:
- Overlay malicious UI elements on top of legitimate content,
- Trick users into interacting with hidden elements (clickjacking),
- Disrupt the intended functionality and accessibility of the website.
## Fix https://github.com/AmauriC/tarteaucitron.js/commit/25fcf828
GHSA
nbgrader's `frame-ancestors: self` grants all users access to formgrader
ghsa·2025-01-17
CVE-2025-23205 [HIGH] CWE-1021 nbgrader's `frame-ancestors: self` grants all users access to formgrader
nbgrader's `frame-ancestors: self` grants all users access to formgrader
### Impact
Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`.
#1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has _full access_ to the contents of the page served by formgrader using Bob's credentials.
### Workarounds
- Disable `frame-ancestors: self`, or
- enable per-user and
Juniper
CVE-2025-52987: A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's
vendor_juniper·2026-01-15·CVSS 6.1
CVE-2025-52987 [MEDIUM] CWE-1021 CVE-2025-52987: A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's
CVE-2025-52987: A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting with the interface under the attacker's control.
This issue affects all versions of Paragon Automation (Pathfinder, Planner, Insights) before 24.1.1.
Red Hat
chromium-browser: Inappropriate implementation in Downloads
vendor_redhat·2025-12-02·CVSS 4.4
CVE-2025-13635 [MEDIUM] CWE-1021 chromium-browser: Inappropriate implementation in Downloads
chromium-browser: Inappropriate implementation in Downloads
Inappropriate implementation in Downloads in Google Chrome prior to 143.0.7499.41 allowed a local attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Red Hat
chromium-browser: Inappropriate implementation in Compositing
vendor_redhat·2025-11-14·CVSS 4.3
CVE-2025-13107 [MEDIUM] CWE-1021 chromium-browser: Inappropriate implementation in Compositing
chromium-browser: Inappropriate implementation in Compositing
Inappropriate implementation in Compositing in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Red Hat
chromium-browser: Incorrect security UI in SplitView
vendor_redhat·2025-11-10·CVSS 4.2
CVE-2025-12446 [MEDIUM] CWE-1021 chromium-browser: Incorrect security UI in SplitView
chromium-browser: Incorrect security UI in SplitView
Incorrect security UI in SplitView in Google Chrome prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted domain name. (Chromium security severity: Low)
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Google Chrome Security Advisory.
Red Hat
firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details
vendor_redhat·2025-05-27·CVSS 5.4
CVE-2025-5267 [MEDIUM] CWE-1021 firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details
firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details
A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A clickjacking vulnerability could be used to trick a user into leaking saved payment card details to a malicious page.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.
Package: rhel10/firefox-flatpak (Red Hat Enterprise Linux 10) - Affected
Package: rhel10/thunderbird-flatpa
GitLab
CVE-2025-0362: An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certai
vendor_gitlab·2025-04-10·CVSS 6.4
CVE-2025-0362 [MEDIUM] CWE-1021 CVE-2025-0362: An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certai
CVE-2025-0362: An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
Red Hat
firefox: Clickjacking the registerProtocolHandler info-bar Reporter
vendor_redhat·2025-03-04·CVSS 4.3
CVE-2025-1935 [MEDIUM] CWE-1021 firefox: Clickjacking the registerProtocolHandler info-bar Reporter
firefox: Clickjacking the registerProtocolHandler info-bar Reporter
A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: A web page could trick a user into setting that site as the default handler for a custom URL protocol.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory
Package: firefox (Red Hat Enterprise Linux 10) - Affected
Package: firefox-flatpak-container (Red Hat Enterprise Linux 10) - Affected
Package: firefox (Red Hat Enterprise Linux 6) - Ou
Red Hat
firefox: Tapjacking in Android Custom Tabs using transition animations
vendor_redhat·2025-03-04·CVSS 3.9
CVE-2025-1939 [LOW] CWE-1021 firefox: Tapjacking in Android Custom Tabs using transition animations
firefox: Tapjacking in Android Custom Tabs using transition animations
Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136.
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could be used to trick a user into granting sensitive permissions by hiding what the user is actually clicking.
Statement: Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Adviso
Microsoft
A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion
vendor_msrc·2024-02-13·CVSS 6.1
CVE-2024-1550 [MEDIUM] CWE-1021 A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion
A malicious website could have used a combination of exiting fullscreen mode and `requestPointerLock` to cause the user's mouse to be re-positioned unexpectedly, which could have led to user confusion and inadvertently granting permissions they did not intend to grant. This vulnerability affects Firefox Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this
Microsoft
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an <iFrame> HTML entry. This may be used
vendor_msrc·2022-03-08·CVSS 4.3
CVE-2021-3660 [MEDIUM] CWE-1021 Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an <iFrame> HTML entry. This may be used
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to addi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-23
Published