An Unsafe Content Security Policy (CSP) Directive in Use
Severity:
Information
Summary
Invicti detected that one of following CSP directives is used:
- unsafe-eval
- unsafe-inline
By using unsafe-eval, you allow the use of string evaluation functions like eval.
By using unsafe-inline, you allow the execution of inline scripts, which almost defeats the purpose of CSP. When this is allowed, it's very easy to successfully exploit a Cross-site Scripting vulnerability on your website.
Impact
An attacker can bypass CSP and exploit a Cross-site Scripting vulnerability successfully.
Remediation
If possible remove unsafe-eval and unsafe-inline from your CSP directives.
Required Skills for Successful Exploitation
Actions To Take
Classifications
Vulnerability Index
You can search and find all vulnerabilities
Select Category
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Featured resources
Build your resistance to threats. And save hundreds of hours each month.
