There lack of protection from ClickJacking Attacks in CWM (using X-Frame-Options Header or FrameBusting Code). which also make it possible to exploit some Self-XSS in CWM (
TOOLS-1913, TOOLS-1914, TOOLS-1915) that triggered when the user writing text in input fields and then click buttons.
more information about the attack and available solutions:
add X-Frame-Options header using Nginx with "DENY" or "SAMEORIGIN" value.