1. Home
  2. Weaknesses
  3. CWE-1021

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

ID CWE-1021
Abstraction Base
Structure Simple
Status Incomplete
Number of CVEs 271
Detail CAPEC Dashboard Vulnerabilities Web & Social
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.

Modes of Introduction

Phase Note
Implementation

Applicable Platforms

Type Class Name Prevalence
Technology Web Based

Relationships

View Weakness
# ID View Status # ID Name Abstraction Structure Status
CWE-1000 Research Concepts Draft CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') Class Simple Draft
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Incomplete CWE-610 Externally Controlled Reference to a Resource in Another Sphere Class Simple Draft
CWE-1000 Research Concepts Draft CWE-451 User Interface (UI) Misrepresentation of Critical Information Class Simple Draft

Common Attack Pattern Enumeration and Classification (CAPEC)

The Common Attack Pattern Enumeration and Classification (CAPECâ„¢) effort provides a publicly available catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.

CAPEC at Mitre.org
# ID Name Weaknesses
CAPEC-103 Clickjacking CWE-1021
CAPEC-181 Flash File Overlay CWE-1021
CAPEC-222 iFrame Overlay CWE-1021
CAPEC-504 Task Impersonation CWE-1021
CAPEC-506 Tapjacking CWE-1021
CAPEC-587 Cross Frame Scripting (XFS) CWE-1021
CAPEC-654 Credential Prompt Impersonation CWE-1021

CVEs Published

Based on CVE published date

CVSS Severity

CVSS Severity - By Year

CVSS Base Score

# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date