Hello, 

Somone from the outside pointed a possible flaw on our system.  I just upgraded from 1.14.3 to 1.14.8 and plan to go futher but will require upgraded php ect.  Can anyone confirm if this is indeed an issue or?

The details of it are as follows:-

Summary:
X-Frame-Options ALLOW-FROM not supported by several Browser, 

Steps To Reproduce:
1.       Create a new HTML file

2.       Put <iframe src="https://mysite.com.com/login.php frameborder="0"></iframe>

3.       Save the file

4.       Open document in browser

Impact:
Attacker may tricked user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivated

Solution:
The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP (Content-Security-Policy) header.

 PoC:

<!DOCTYPE html>

<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin">
<title>X-Frame-Bypass Web Component Demo</title>
<style>
html, body {
margin: 0;
padding: 0;
height: 100%;
overflow: hidden;
}
iframe {
display: block;
width: calc(70% - 40px);
height: calc(80% - 40px);
margin: 20px;
}
img {
position: absolute;
top: 0;
right: 0;
}
</style>
<script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
<script src="x-frame-bypass.js" type="module"></script>
</head>
<body>
    <h1>x-frame-bypass in your site</h1>
<iframe is="x-frame-bypass" src="https://www.cdcp.cz/mujh depozitar/#/login"></iframe>
</body>
</html>

FIX:
Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors. You should implement a CSP header to avoid these sorts of attacks. Please let me know if you want more information. I hope that you appreciate my ethical disclosure of this vulnerability, expecting a reward as a token of appreciation for this..