GHSA-39mx-wj78-mm9g

Опубликовано: 25 июл. 2025

Источник: github

Github: Не прошло ревью

CVSS4: 8.4

Описание

A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources.

Ссылки

EPSS

Процентиль: 4%

0.0002

Низкий

8.4 High

CVSS4

CVE ID

CVE-2025-34114

Дефекты

CWE-94

Связанные уязвимости

CVE-2025-34114

nvd

7 месяцев назад

A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML <meta> tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources.

EPSS

Процентиль: 4%

0.0002

Низкий

8.4 High

CVSS4

CVE ID

CVE-2025-34114

Дефекты

CWE-94