Missing Implementation of unsafe-hashes CSP Directive in Firefox < 108 Allows Script Injection

Missing Implementation of unsafe-hashes CSP Directive in Firefox < 108 Allows Script Injection

CVE-2022-46873 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Because Firefox did not implement the <code>unsafe-hashes</code> CSP directive, an attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject executable script. This would be severely constrained by the specified Content Security Policy of the document. This vulnerability affects Firefox < 108.

Learn more about our Web Application Penetration Testing UK.