Vulnerable to clickjacking in cockpit-hq/cockpit


Reported on

Feb 9th 2023


Vulnerable to clickjacking

Proof of Concept

  1. Create an iframe.html with below contents

<!DOCTYPE html>



<h1>The iframe element</h1>

<iframe src="https://localhost/Cockpit/" title="iframe test"> </iframe>



  1. Open with firefox and note that the frame is loaded which is potential to clickjacking due to missing x-frame-options security headers


This vulnerability is capable of clickjacking which allow an attacker can create an invisible iframe

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back a year ago
Artur validated this vulnerability a year ago
popcorn94 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.3.9-dev with commit 8450bd a year ago
Artur has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation