CVE-2024-55888 HIGH

CVE-2024-55888: Content Security Policy appears to be missing in software and production setup

Vendor Scidsg
Product hushline
Weakness CWE-1021
Published December 12, 2024
Last update December 13, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue.

Key dates

02Disclosure timeline

December 12, 2024 CVE published
December 13, 2024 Record updated