Content Security Policy allows unsafe-inline 

Issue date: 12-04-2022
Affects versions: 14.7, 13.4, 12.6

Security Issue ID



Affected Product Version(s)
All versions previous to 15.0.0




The Content-Security-Policy defined for versions of brXM prior to 15.0.0 includes the "unsafe-inline" directive without nonce or hash validation. If a Cross-Site-Scripting vulnerability exists within the CMS application, an attacker could exploit it by injecting an inline script with malicious content. While "unsafe-inline" does not represent a security risk by itself, it makes existing Content-Security-Policy ineffective as a protection from Cross-Site-Scripting attacks.

brXM 15.0.0 has been improved so that a stricter Content-Security-Policy is technically feasible, and it has now been implemented. Highly security-conscious customers may wish to upgrade to 15.0.0 to gain the benefit of this extra layer of protection.