Hashicorp Boundary versions prior to 0.11.0 suffer from a clickjacking vulnerability.
688bdcf30f14fbf2ce794382918920689f96690ff9f6f1d579a58c8f1c457244
# Exploit Title: Hashicorp Boundary < v0.11.0 - Clickjacking
# Date: 07/08/2022
# Exploit Author: Brandon Roach (V4quero)
# Vendor Homepage: > https://releases.hashicorp.com/boundary/
# Software Link: > https://github.com/hashicorp/boundary
# Version: < v.0.11.0
# Patch Status: Unpatched
# Tested on: Linux
# CVE: CVE-2022-36182
Attackers can exploit this vulnerability to allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.
Attack vector:
to exploit the vulnerability, an attacker would frame the application and overlay hidden ui elements on the site
Reference
https://owasp.org/www-community/attacks/Clickjacking