SECR-005: Clickjacking on Settings Page ¶
1 Status ¶
| Date | Status | |
|---|---|---|
| 01-07-2026 | Identified | |
| 02-07-2026 | Analysed | |
| 03-07-2026 | Mitigating | |
| ▶ | 07-07-2026 | Closed |
2 Threat ¶
An attacker overlays the settings page in a hidden frame and tricks a logged-in user into clicking a destructive control.
3 Vulnerability ¶
The application served no frame-ancestors policy, so any site could embed it.
4 CVSS Vector ¶
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
5 CVSS Score ¶
6 Mitigation ¶
Shipped: the frame-ancestors content-security policy denies all embedding, and the smoke test asserts the header on every page.
7 Monitoring ¶
None; the risk is closed. Reopen if an embedding use case ever requires relaxing the policy.