Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-w387-5qqw-7g8m: Content-Security-Policy header generation in middleware could be compromised by malicious injections

Impact

When the following conditions are met:

  • Automated CSP headers generation for SSR content is enabled
  • The web application serves content that can be partially controlled by external users

Then it is possible that the CSP headers generation feature might be “allow-listing” malicious injected resources like inlined JS, or references to external malicious scripts.

Patches

Available in version 1.3.0 .

Workarounds

  • Do not enable CSP headers generation.
  • Use it only for dynamically generated content that cannot be controlled by external users in any way.

References

Are there any links users can visit to find out more?

ghsa
#vulnerability#web#nodejs#js#git

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-29896

Content-Security-Policy header generation in middleware could be compromised by malicious injections

High severity GitHub Reviewed Published Mar 27, 2024 in kindspells/astro-shield • Updated Mar 29, 2024

Package

npm @kindspells/astro-shield (npm)

Affected versions

= 1.2.0

Description

Published to the GitHub Advisory Database

Mar 29, 2024

Last updated

Mar 29, 2024

ghsa: Latest News

GHSA-x52f-h5g4-8qv5: Marp Core allows XSS by improper neutralization of HTML sanitization