CVE-2025-9108: Missing X-Frame-Options or Content-Security-Policy Headers
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9108
Summary
The application does not implement protection mechanisms against Clickjacking. This allows legitimate pages to be embedded within malicious iframes, leading users to interact with invisible or disguised elements, which can result in session hijacking, unintended actions, and other attacks.
Details
Vulnerable Endpoint: https://x.x.x.x/login
The HTTP response from the page does not include the following headers:
Application HTTP Response:
| |
This absence allows the application to be embedded within iframe elements on third-party websites.
Impact
- Performing unauthorized actions: Attackers can trick users into clicking hidden buttons or links, executing critical actions without their consent.
- Credential theft: A disguised click can lead users to enter sensitive information such as logins and passwords.
- Transferring funds or unauthorized purchases: Users can be tricked into authorizing financial transactions on banking or e-commerce websites.
- Changing account settings: Attackers can exploit clickjacking to trick victims into disabling security features or changing recovery emails.
- Installing malware: Manipulated clicks can initiate the download of malicious files without the user's knowledge.
- Privilege escalation: In administrative applications, a forced click can grant elevated access to attackers.
- Loss of trust: The impact The psychological and reputational impact on the organization can be significant, as users perceive the site as insecure.
Reference
https://vuldb.com/?submit.627923
Finder
By: CVE-Hunters