Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The CSP policy applied on the tips.hushline.app
website and bundled by default in this repository is trivial to bypass. This vulnerability has been patched in version 0.1.0.
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Hush_line | Hushline | * | 0.1.0 (excluding) |