CVE-2025-9108
BaseFortify
Publication date: 2025-08-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1021 | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9108 is a Clickjacking vulnerability in the i-diario login system. The login page does not implement security headers like X-Frame-Options or Content-Security-Policy with frame-ancestors, allowing attackers to embed the login page within iframes on malicious sites. This improper restriction of UI layers can trick users into interacting with hidden or disguised interface elements, potentially leading to session hijacking or unauthorized actions. The vulnerability can be exploited remotely and requires user interaction. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking and unauthorized actions by tricking users into interacting with disguised UI elements on the login page. Since the login page can be embedded in malicious iframes, attackers can manipulate user input and compromise the integrity of the application. Exploitation is remote and does not require authentication but does require user interaction, making it a moderate security risk. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the affected login page (e.g., https://x.x.x.x/login.php) lacks security headers such as 'X-Frame-Options' or 'Content-Security-Policy' with the 'frame-ancestors' directive. You can use commands like 'curl -I https://x.x.x.x/login.php' to inspect HTTP response headers and verify the absence of these headers, which indicates susceptibility to clickjacking. [1]
What immediate steps should I take to mitigate this vulnerability?
No known countermeasures or mitigations have been reported for this vulnerability. It is suggested to consider replacing the affected product or component to mitigate the risk. Additionally, implementing security headers such as 'X-Frame-Options' or 'Content-Security-Policy' with 'frame-ancestors' directive on the login page could help prevent clickjacking attacks, although this is not explicitly reported as a mitigation in the resources. [2, 1]