Description

The web page was found to be using an Inline Frame ("iframe") to embed a resource, such as a different web page. The Inline Frame is either configured insecurely, or not as securely as expected. This vulnerability alert is based on the origin of the embedded resource and the iframe's sandbox attribute, which can be used to apply security restrictions as well as exceptions to these restrictions.

Remediation

Review the iframe's purpose and environment, and use the sandbox attribute to secure the iframe while applying sandbox directives to ease security restrictions if necessary.

References

MDN | iframe: The Inline Frame Element

HTML Standard: iframe

HTML 5.2: 4.7. Embedded content

Related Vulnerabilities

PHP allow_url_include Is Enabled

Magento Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2019-8154)

CKEditor Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2021-26272)

Cross frame scripting

PHP allow_url_include enabled

Severity

Low

Classification

CWE-829 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Tags

XFS