CVE-2021-3734 – CVE-2021-3734 is a clickjacking vulnerability i... (How to Fix)

Q: What is the severity of CVE-2021-3734?

CVE-2021-3734 has a CVSS score of 8.8 (HIGH). CVE-2021-3734 is a clickjacking vulnerability in YOURLS URL shortener software that allows attackers to overlay malicious UI elements over legitimate YOURLS pages. This enables attackers to trick users into performing unintended actions like creating malicious short URLs or changing settings. All YOURLS installations with the vulnerable code are affected.

📋 TL;DR

CVE-2021-3734 is a clickjacking vulnerability in YOURLS URL shortener software that allows attackers to overlay malicious UI elements over legitimate YOURLS pages. This enables attackers to trick users into performing unintended actions like creating malicious short URLs or changing settings. All YOURLS installations with the vulnerable code are affected.

💻 Affected Systems

Products:

YOURLS (Your Own URL Shortener)

Versions: All versions before commit 0a70acdcfb5fcbc63dbc5750018d608288eba3fe

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All standard YOURLS installations are vulnerable unless specifically patched or configured with clickjacking protections.

📦 What is this software?

Yourls by Yourls

View all CVEs affecting Yourls →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create malicious short URLs that redirect to phishing sites, steal admin credentials through fake login overlays, or modify YOURLS configuration to take control of the service.

🟠

Likely Case

Attackers create malicious short URLs that redirect users to phishing or malware sites, potentially compromising user credentials or systems.

🟢

If Mitigated

With proper clickjacking protections, users would be protected from UI overlay attacks, though other vulnerabilities might still exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking on malicious overlays) but the attack technique is well-known and simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 0a70acdcfb5fcbc63dbc5750018d608288eba3fe

Vendor Advisory: https://github.com/yourls/yourls/commit/0a70acdcfb5fcbc63dbc5750018d608288eba3fe

Restart Required: No

Instructions:

1. Update YOURLS to the latest version. 2. Apply commit 0a70acdcfb5fcbc63dbc5750018d608288eba3fe. 3. Verify X-Frame-Options header is set to DENY or SAMEORIGIN.

🔧 Temporary Workarounds

Add X-Frame-Options Header

all

Configure web server to send X-Frame-Options: DENY or SAMEORIGIN header

For Apache: Header always append X-Frame-Options SAMEORIGIN
For Nginx: add_header X-Frame-Options SAMEORIGIN;

Add Content-Security-Policy Frame-Ancestors

all

Implement CSP frame-ancestors directive to restrict framing

Content-Security-Policy: frame-ancestors 'self';

🧯 If You Can't Patch

Implement web application firewall rules to block clickjacking attempts
Educate users about clickjacking risks and train them to verify URLs before clicking

🔍 How to Verify

Check if Vulnerable:

Check if X-Frame-Options header is missing or set to ALLOW-FROM. Use browser developer tools to inspect HTTP headers.

Check Version:

Check YOURLS version in admin interface or examine commit history in installation directory.

Verify Fix Applied:

Verify X-Frame-Options header is present and set to DENY or SAMEORIGIN. Test with clickjacking test tools.

📡 Detection & Monitoring

Log Indicators:

Multiple failed frame embedding attempts
Unusual referrer patterns in access logs

Network Indicators:

HTTP requests with missing or weak X-Frame-Options headers
Multiple domains attempting to frame your YOURLS pages

SIEM Query:

http.headers:X-Frame-Options="ALLOW-FROM" OR NOT http.headers:X-Frame-Options

📊 Metadata

CVE ID: CVE-2021-3734

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-1021

Published: August 26, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/yourls/yourls/commit/0a70acdcfb5fcbc63dbc5750018d608288eba3fe Patch,Third Party Advisory
https://huntr.dev/bounties/dd2e2dbe-efe5-49ec-be11-7a7e7c41debd Exploit,Issue Tracking,Third Party Advisory
https://github.com/yourls/yourls/commit/0a70acdcfb5fcbc63dbc5750018d608288eba3fe Patch,Third Party Advisory
https://huntr.dev/bounties/dd2e2dbe-efe5-49ec-be11-7a7e7c41debd Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3734, you might also want to check these: