CVE-2021-3660 Information

Jun 07, 2022 cve

Description

Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.</p> <h2 id="cvss-vector">CVSS Vector</h2> <p>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N</p> <h2 id="reference">Reference</h2> <p><a href="https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10"><em><strong>https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10</strong></em></a> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1980688"><em><strong>https://bugzilla.redhat.com/show_bug.cgi?id=1980688</strong></em></a> <a href="https://github.com/cockpit-project/cockpit/issues/16122"><em><strong>https://github.com/cockpit-project/cockpit/issues/16122</strong></em></a></p> <h2 id="attack-complexity">Attack Complexity</h2> <p>LOW</p> <h2 id="privileges-required">Privileges Required</h2> <p>NONE</p> <h2 id="user-interaction-required">User Interaction Required</h2> <p>NONE</p> <h2 id="scope">Scope</h2> <p>REQUIRED</p> <h2 id="confidentiality-impact">Confidentiality Impact</h2> <p>UNCHANGED</p> <h2 id="integrity-impact">Integrity Impact</h2> <p>NONE</p> <h2 id="availability-impact">Availability Impact</h2> <p>LOW</p> <h2 id="base-score">Base Score</h2> <p>NONE</p> <h2 id="base-severity">Base Severity</h2> <p>4.3</p> <style> #share-buttons {display: inline-block; vertical-align: middle; } #share-buttons:after {content: ""; display: block; clear: both;} #share-buttons > div { position: relative; text-align: left; height: 36px; width: 32px; float: left; text-align: center; } #share-buttons > div > svg {height: 16px; fill: #09de25; margin-top: 10px;} #share-buttons > div:hover {cursor: pointer;} #share-buttons > div.facebook:hover > svg {fill: #09ad1e;} #share-buttons > div.twitter:hover > svg {fill: #09ad1e;} #share-buttons > div.linkedin:hover > svg {fill: #09ad1e;} #share-buttons > div.pinterest:hover > svg {fill: #09ad1e;} #share-buttons > div.gplus:hover > svg {fill: #09ad1e;} #share-buttons > div.mail:hover > svg {fill: #09ad1e;} #share-buttons > div.instagram:hover > svg {fill: #09ad1e;} #share-buttons > div.facebook > svg {height: 18px; margin-top: 9px;} #share-buttons > div.twitter > svg {height: 20px; margin-top: 8px;} #share-buttons > div.linkedin > svg {height: 19px; margin-top: 7px;} #share-buttons > div.pinterest > svg {height: 20px; margin-top: 9px;} #share-buttons > div.mail > svg {height: 14px; margin-top: 11px;} </style> <span style="color: limegreen;">Share on: </span><div id="share-buttons"> <div class="facebook" title="Share this on Facebook" onclick="window.open('http://www.facebook.com/share.php?u=https:\/\/jamesbrine.com.au\/cve-2021-3660-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1343 12v264h-157q-86 0-116 36t-30 108v189h293l-39 296h-254v759h-306v-759h-255v-296h255v-218q0-186 104-288.5t277-102.5q147 0 228 12z"/></svg></div> <div class="twitter" title="Share this on Twitter" onclick="window.open('http://twitter.com/home?status=https:\/\/jamesbrine.com.au\/cve-2021-3660-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1684 408q-67 98-162 167 1 14 1 42 0 130-38 259.5t-115.5 248.5-184.5 210.5-258 146-323 54.5q-271 0-496-145 35 4 78 4 225 0 401-138-105-2-188-64.5t-114-159.5q33 5 61 5 43 0 85-11-112-23-185.5-111.5t-73.5-205.5v-4q68 38 146 41-66-44-105-115t-39-154q0-88 44-163 121 149 294.5 238.5t371.5 99.5q-8-38-8-74 0-134 94.5-228.5t228.5-94.5q140 0 236 102 109-21 205-78-37 115-142 178 93-10 186-50z"/></svg></div> <div class="linkedin" title="Share this on Linkedin" onclick="window.open('https://www.linkedin.com/shareArticle?mini=true&url=https:\/\/jamesbrine.com.au\/cve-2021-3660-information\/&title=&summary=&source=');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M477 625v991h-330v-991h330zm21-306q1 73-50.5 122t-135.5 49h-2q-82 0-132-49t-50-122q0-74 51.5-122.5t134.5-48.5 133 48.5 51 122.5zm1166 729v568h-329v-530q0-105-40.5-164.5t-126.5-59.5q-63 0-105.5 34.5t-63.5 85.5q-11 30-11 81v553h-329q2-399 2-647t-1-296l-1-48h329v144h-2q20-32 41-56t56.5-52 87-43.5 114.5-15.5q171 0 275 113.5t104 332.5z"/></svg></div> <div class="mail" title="Share this through Email" onclick="window.open('mailto:?&body=https:\/\/jamesbrine.com.au\/cve-2021-3660-information\/');"><svg viewBox="0 0 1792 1792" xmlns="http://www.w3.org/2000/svg"><path d="M1792 710v794q0 66-47 113t-113 47h-1472q-66 0-113-47t-47-113v-794q44 49 101 87 362 246 497 345 57 42 92.5 65.5t94.5 48 110 24.5h2q51 0 110-24.5t94.5-48 92.5-65.5q170-123 498-345 57-39 100-87zm0-294q0 79-49 151t-122 123q-376 261-468 325-10 7-42.5 30.5t-54 38-52 32.5-57.5 27-50 9h-2q-23 0-50-9t-57.5-27-52-32.5-54-38-42.5-30.5q-91-64-262-182.5t-205-142.5q-62-42-117-115.5t-55-136.5q0-78 41.5-130t118.5-52h1472q65 0 112.5 47t47.5 113z"/></svg></div> </div> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <ins class="adsbygoogle" style="display:block" data-ad-format="fluid" data-ad-layout-key="-gu-18+5g-2f-83" data-ad-client="ca-pub-8803350446980282" data-ad-slot="1897330987"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> </article> </div> </div> </body> </html>