| Title | i-diario i-diario login system 2.9 Clickjacking |
|---|
| Description | A Clickjacking vulnerability was identified in sensitive pages of the application, such as the login page. The server does not return security headers like X-Frame-Options or Content-Security-Policy with the frame-ancestors directive, allowing the application to be embedded within iframes on external domains. This can be exploited by an attacker to trick users and perform unauthorized actions.
Summary:
The application does not implement protection mechanisms against Clickjacking. This allows legitimate pages to be embedded within malicious iframes, leading users to interact with invisible or disguised elements, which can result in session hijacking, unintended actions, and other attacks.
Details:
Affected URL: https://192.168.100.226/login
The HTTP response from the page does not include the following headers:
X-Frame-Options
Content-Security-Policy: frame-ancestors 'none';
Tested URL: https://192.168.100.226/login.php
Application HTTP Response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
...
Missing headers:
X-Frame-Options
Content-Security-Policy: frame-ancestors 'none';
This absence allows the application to be embedded within <iframe> elements on third-party websites. |
|---|
| User | princival (UID 88631) |
|---|
| Submission | 08/03/2025 18:49 (11 months ago) |
|---|
| Moderation | 08/17/2025 22:38 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 320430 [Portabilis i-Diario up to 1.5.0 Login Page ui layer] |
|---|
| Points | 17 |
|---|