CVE-2024-29896 – @kindspells/astro-shield

Package

Manager: npm
Name: @kindspells/astro-shield
Vulnerable Version: =1.2.0 || >=1.2.0 <1.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00092 pctl0.26807

Details

Content-Security-Policy header generation in middleware could be compromised by malicious injections ### Impact When the following conditions are met: - Automated CSP headers generation for SSR content is enabled - The web application serves content that can be partially controlled by external users Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts. ### Patches Available in version 1.3.0 . ### Workarounds - Do not enable CSP headers generation. - Use it only for dynamically generated content that cannot be controlled by external users in any way. ### References _Are there any links users can visit to find out more?_

Metadata

Created: 2024-03-29T19:03:59Z
Modified: 2024-09-12T13:52:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-w387-5qqw-7g8m/GHSA-w387-5qqw-7g8m.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-w387-5qqw-7g8m
Finding: F184
Auto approve: 1