Impact
A clickjacking weakness exists in the browser-facing login and administrative UI of Ajenti versions up to 2.2.13. The web server does not add anti-framing protections such as the X‑Frame‑Options header or a Content‑Security‑Policy frame‑ancestors directive, allowing a malicious page to embed the interface in an invisible frame. An attacker can trick a logged‑in administrator into interacting with the frame, potentially causing unintended actions or credential leakage.
Affected Systems
Any installation of Ajenti with a version older than or equal to 2.2.13 is affected. This includes standard Ajenti deployments that use the default web interface and rely on the bundled ajenti-core components.
Risk and Exploitability
The vulnerability is client‑side and requires the user to load a malicious page that frames the Ajenti interface; no remote code execution is possible from the attack surface alone. Because the exploit requires a victim to visit a crafted site, the likelihood of wide exploitation is moderate, but the impact could be serious if administrators are targeted. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, but the absence of framing protections suggests a high potential for abuse in targeted scenarios.
OpenCVE Enrichment