{"uuid": "b12cf388-9df9-4fea-a874-f22ea56e3655", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-7ww3-xvf5-cxwm", "type": "seen", "source": "https://gist.github.com/alon710/1d05503905d86d5b6619223d3f318c59", "content": "# GHSA-7WW3-XVF5-CXWM: GHSA-7ww3-xvf5-cxwm: Missing Defense-in-Depth HTTP Headers in ciguard Web UI\n\n> **CVSS Score:** 4.3\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/GHSA-7WW3-XVF5-CXWM\n\n## Summary\nThe ciguard Web UI (versions prior to 0.8.2) lacks essential HTTP security headers. This absence exposes the application to client-side attacks, including Clickjacking, potential Cross-Site Scripting (XSS) via lack of Content-Security-Policy (CSP), and supply-chain risks due to missing Sub-Resource Integrity (SRI) checks on external CDN assets.\n\n## TL;DR\nciguard < 0.8.2 is missing critical security headers like CSP and X-Frame-Options, allowing clickjacking and CDN-based attacks. The vulnerability was patched in version 0.8.2 by implementing custom security middleware.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-693, CWE-1021, CWE-353\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 4.3 (Medium)\n- **User Interaction**: Required (UI:R)\n- **Exploit Status**: Proof of Concept (ZAP Scan)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- ciguard Web UI\n- **ciguard**: >= 0.1.0, < 0.8.2 (Fixed in: `0.8.2`)\n\n## Mitigation\n\n- Upgrade the ciguard package to version 0.8.2 or higher.\n- Implement an intermediate reverse proxy (e.g., Nginx, HAProxy) to inject standard HTTP security headers if direct patching is unavailable.\n\n**Remediation Steps:**\n1. Verify the currently installed version of ciguard in your environment.\n2. Run the package manager update command to fetch version 0.8.2 or greater (e.g., `pip install ciguard==0.8.3`).\n3. Restart the FastAPI/Uvicorn server process serving the Web UI.\n4. Execute `curl -sI http://localhost:8080/ | grep X-Frame` to confirm the presence of the new headers.\n\n## References\n\n- [GitHub Advisory Page](https://github.com/advisories/GHSA-7ww3-xvf5-cxwm)\n- [Original Security Advisory](https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-7ww3-xvf5-cxwm)\n- [Release v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2)\n- [Release v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3)\n- [Project Repository](https://github.com/Jo-Jo98/ciguard)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-7WW3-XVF5-CXWM) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-06T03:10:29.000000Z"}