We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-34114

OpenBlow Missing Critical Security Headers



Description

A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML <meta> tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources.

Reserved 2025-04-15 | Published 2025-07-25 | Updated 2025-07-25 | Assigner VulnCheck


HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-749 Exposed Dangerous Method or Function

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

*
affected

Credits

Tifa Lockhart finder

References

seclists.org/fulldisclosure/2025/Jul/13 third-party-advisory exploit

www.openblow.it product

www.vulncheck.com/...nblow-missing-critical-security-headers third-party-advisory

cve.org (CVE-2025-34114)

nvd.nist.gov (CVE-2025-34114)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-34114

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.