GHSA-w387-5qqw-7g8m

Suggest an improvement
Source
https://github.com/advisories/GHSA-w387-5qqw-7g8m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-w387-5qqw-7g8m/GHSA-w387-5qqw-7g8m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-w387-5qqw-7g8m
Aliases
Published
2024-03-29T19:03:59Z
Modified
2024-09-12T13:52:22Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Content-Security-Policy header generation in middleware could be compromised by malicious injections
Details

Impact

When the following conditions are met: - Automated CSP headers generation for SSR content is enabled - The web application serves content that can be partially controlled by external users

Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts.

Patches

Available in version 1.3.0 .

Workarounds

  • Do not enable CSP headers generation.
  • Use it only for dynamically generated content that cannot be controlled by external users in any way.

References

Are there any links users can visit to find out more?

Database specific 
{
    "github_reviewed_at": "2024-03-29T19:03:59Z",
    "nvd_published_at": "2024-03-28T13:15:47Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74"
    ]
}
References

Affected packages

npm / @kindspells/astro-shield

Package

Name
@kindspells/astro-shield
View open source insights on deps.dev
Purl
pkg:npm/%40kindspells/astro-shield

Affected ranges

Type
SEMVER
Events
Introduced
1.2.0
Fixed
1.3.0

Affected versions

1.*

1.2.0