0032932: Insecure Content-Security-Policy (CSP)

ID	Project	Category	View Status	Date Submitted	Last Update

0032932	mantisbt	security	public	2023-09-14 02:19	2023-10-06 06:52

Reporter	nhchoudhary	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	duplicate
Product Version	2.25.6

Summary	0032932: Insecure Content-Security-Policy (CSP)
Description	The web server employed an insecure Content Security Policy (CSP). CSPs place limitations on what type of code can be executed, remote content incorporated and framing allowed. The application’s CSP has overly broad host definitions, narrow resource protections or other flaws that could facilitate an attacker’s ability to inject malicious code, incorporate malicious content or frame user sessions for phishing attacks. Observed URL(s) but not limited to: /view_all_bug_page.php /query_store_page.php
Steps To Reproduce	Observe the CSP is set with the unsafe-line directive.
Tags	No tags attached.

dregad 2023-09-14 03:01 developer ~0068095	Thanks reporting the problem We will look into it as soon as possible. In the future, please always report security issues as private, following our guidelines https://mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems

dregad 2023-09-14 03:25 developer ~0068101	Duplicate of 0021908