Improper Restriction of Rendered UI Layers or Frames Affecting cockpit-doc package, versions <0:264.1-1.el8
Threat Intelligence
EPSS
0.07% (32nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CENTOS8-COCKPITDOC-1969334
- published 28 Jul 2021
- disclosed 20 Jul 2021
Introduced: 20 Jul 2021
CVE-2021-3660 Open this link in a new tabHow to fix?
Upgrade Centos:8 cockpit-doc to version 0:264.1-1.el8 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream cockpit-doc package and not the cockpit-doc package as distributed by Centos.
See How to fix? for Centos:8 relevant fixed versions and status.
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an <iFrame> HTML entry. This may be used by a malicious website in clickjacking or similar attacks.
References
CVSS Scores
version 3.1