Permissive List of Allowed Inputs

CVE-2024-38522

Medium

6.3/10

Summary

Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The CSP policy applied on the `tips.hushline.app` website and bundled by default in this repository is trivial to bypass. This vulnerability has been patched in version 0.1.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-183 - Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

References

Advisory Timeline

Published Jun 28, 2024

Permissive List of Allowed Inputs

CVE-2024-38522

Summary

CWE-183 - Permissive List of Allowed Inputs

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS