CVE-2019-9147

Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack against the settings page. As the settings page is intended to be accessible from web applications, the browser's extension isolation mechanisms are disabled (web_accessible_resources). Mailvelope implements additional measures to prevent web applications from directly embedding the settings page, but this mechanism can be bypassed.
Configurations

Configuration 1

cpe:2.3:a:mailvelope:mailvelope:*:*:*:*:*:*:*:*

Information

Published : 2019-07-09 09:15

Updated : 2020-08-24 05:37


NVD link : CVE-2019-9147

Mitre link : CVE-2019-9147

Products Affected
No products.
CWE
CWE-1021

Improper Restriction of Rendered UI Layers or Frames