Content Security Policy allows unsafe-inline

Issue date: 12-04-2022
Affects versions: 14.7, 13.4, 12.6

Security Issue ID

SECURITY-280

Affected Product Version(s)
All versions previous to 15.0.0

Severity

low

Description

The Content-Security-Policy defined for versions of brXM prior to 15.0.0 includes the "unsafe-inline" directive without nonce or hash validation. If a Cross-Site-Scripting vulnerability exists within the CMS application, an attacker could exploit it by injecting an inline script with malicious content. While "unsafe-inline" does not represent a security risk by itself, it makes existing Content-Security-Policy ineffective as a protection from Cross-Site-Scripting attacks.

brXM 15.0.0 has been improved so that a stricter Content-Security-Policy is technically feasible, and it has now been implemented. Highly security-conscious customers may wish to upgrade to 15.0.0 to gain the benefit of this extra layer of protection.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Content Security Policy allows unsafe-inline