CVE Details
Basic Information
| Title | OpenBlow Missing Critical Security Headers |
|---|---|
| Type | cve |
| Published | 2025-07-25T15:52:56.387Z |
| Modified | 2025-07-25T15:52:56.387Z |
Product Information
| Vendor | Laser Romae s.r.l. |
|---|---|
| Product | OpenBlow |
| Version | * |
CVSS Information
| Base Score | 8.4 (HIGH) |
|---|---|
| Attack Vector | CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
AI Analysis
| AI Description | OpenBlow whistleblowing platform has a security misconfiguration due to missing critical HTTP headers, exposing users to XSS, clickjacking, and referer leakage. Ineffective meta tags are used instead of proper headers. |
|---|---|
| AI Severity | Critical |
| AI Vendor | Laser Romae s.r.l. |
| AI Product | OpenBlow |
| AI Version | All versions |
Affected Products
- Laser Romae s.r.l. OpenBlow *
Additional Information
| CWE List | CWE-749, CWE-94 |
|---|---|
| Source | VulnCheck |
Description
A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources.