Content Security Policy Flaw in ENS Control Browser Extension by Trellix
CVE-2024-0310

6.1MEDIUM

Key Information:

Vendor: Trellix
Status: Trellix Endpoint Security (ENS) Web Control
Vendor: CVE Published:; 10 January 2024

What is CVE-2024-0310?

The ENS Control browser extension prior to version 10.7.0 Update 15 contains a content-security-policy vulnerability that permits remote attackers to modify the response header parameter settings. This manipulation can lead to switching the content security policy into report-only mode, which ultimately allows attackers to circumvent the established content security policy configurations. Such a vulnerability can expose users to various attacks, enabling the exploitation of potentially harmful content.

Affected Version(s)

Trellix Endpoint Security (ENS) Web Control Prior to 10.7.0 Update 15

References

https://kcm.trellix.com/corporate/index?page=content&id=S...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 10, 2024
Vulnerability Reserved
Jan 8, 2024

Credit

Brandon Vincent