Improper Restriction of Rendered UI Layers or Frames in chevereto/chevereto-free

Valid

Reported on

Oct 6th 2021

Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills. This tricks users to perform unintended actions on vulnerable website, thinking they are doing those on attacker’s website. Clickjacking, also known as a "UI redress attack".

IMPACT:

Users are tricked into performing all sorts of unintended actions are such as typing in the password, clicking on ‘Delete my account’ button, liking a post, deleting a post, commenting on a blog. In other words all the actions that a normal user can do on a legitimate website can be done using clickjacking.

POC: http://web.clickjacker.io/test?url=demo.chevereto.com%2Flogin

We have contacted a member of the chevereto/chevereto-free team and are waiting to hear back 2 years ago

A chevereto/chevereto-free maintainer validated this vulnerability 2 years ago

sudheendra17 has been awarded the disclosure bounty

The fix bounty is now up for grabs

A chevereto/chevereto-free maintainer marked this as fixed with commit 52760d 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation