{"id":"CVE-2021-3660","details":"Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an \u003ciFrame\u003e HTML entry. This may be used by a malicious website in clickjacking or similar attacks.","modified":"2026-04-16T04:32:55.746403638Z","published":"2022-03-10T17:42:55.647Z","related":["ALSA-2022:2008"],"references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1980688"},{"type":"FIX","url":"https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10"},{"type":"FIX","url":"https://github.com/cockpit-project/cockpit/issues/16122"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cockpit-project/cockpit","events":[{"introduced":"0"},{"fixed":"251926ad966a6a57e992b06c4fccf2f2423f88a8"},{"fixed":"8d9bc10d8128aae03dfde62fd00075fe492ead10"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"254"}]}}],"versions":["0.10","0.100","0.101","0.102","0.103","0.104","0.105","0.106","0.107","0.108","0.109","0.11","0.110","0.111","0.112","0.113","0.114","0.115","0.116","0.117","0.12","0.13","0.14","0.15","0.16","0.17","0.18","0.19","0.2","0.20","0.21","0.22","0.23","0.24","0.25","0.26","0.27","0.28","0.29","0.3","0.30","0.31","0.32","0.33","0.34","0.35","0.36","0.37","0.38","0.39","0.4","0.40","0.41","0.42","0.44","0.45","0.46","0.47","0.48","0.49","0.5","0.50","0.51","0.52","0.53","0.54","0.55","0.56","0.57","0.58","0.59","0.6","0.60","0.61","0.62","0.63","0.64","0.65","0.66","0.67","0.68","0.69","0.7","0.70","0.71","0.72","0.73","0.74","0.75","0.76","0.77","0.78","0.79","0.8","0.80","0.81","0.82","0.83","0.84","0.85","0.86","0.87","0.88","0.89","0.9","0.90","0.91","0.92","0.93","0.94","0.95","0.96","0.96-1","0.97","0.98","0.99","118","119","120","121","122","123","124","125","126","127","128","129","130","131","132","133","134","135","136","137","138","139","140","141","142","143","144","145","146","147","148","149","150","151","152","153","154","155","156","157","158","159","160","161","162","163","164","165","166","167","168","169","170","171","172","173","174","175","176","177","178","179","180","181","182","183","184","185","186","187","188","189","190","191","192","193","194","195","196","197","198","199","200","201","202","202.1","203","204","205","205.1","206","207","208","209","210","211","212","213","214","214.1","215","216","217","218","219","220","221","221.1","222","222.1","223","224","225","226","227","228","229","230","231","232","233","233.1","234","235","236","237","238","238.1","239","240","241","242","243","244","244.1","245","246","247","248","249","250","251","252","253"],"database_specific":{"vanir_signatures":[{"target":{"file":"src/common/cockpitwebresponse.c"},"source":"https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10","deprecated":false,"id":"CVE-2021-3660-0b2bf10d","digest":{"threshold":0.9,"line_hashes":["134655402416378279483429680485234518541","292222678174790241311677260487533223928","309271648936713598462387289853482135675","268971167726584180281546125277119645421","133267846151928897689910292218534056527","3397344417416461134128263470272402462","281014394522471031140424059057317025718","144330048431258142360128838096477822215","173555419823742892274023789639976169352","56982047601249035356228339888196003252","86012658027789560600591753589253616155","130140710033837481933422337657713424558"]},"signature_type":"Line","signature_version":"v1"},{"target":{"function":"finish_headers","file":"src/common/cockpitwebresponse.c"},"source":"https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10","deprecated":false,"id":"CVE-2021-3660-88da9a07","digest":{"length":1908,"function_hash":"218541981637196949492337221263490501649"},"signature_type":"Function","signature_version":"v1"},{"target":{"function":"append_header","file":"src/common/cockpitwebresponse.c"},"id":"CVE-2021-3660-d186b283","deprecated":false,"source":"https://github.com/cockpit-project/cockpit/commit/8d9bc10d8128aae03dfde62fd00075fe492ead10","digest":{"length":1155,"function_hash":"64335642523941509145852724743639902650"},"signature_type":"Function","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T16:26:01Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3660.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}