GHSA-7WW3-XVF5-CXWM: GHSA-7ww3-xvf5-cxwm: Missing Defense-in-Depth HTTP Headers in ciguard Web UI

GHSA-7ww3-xvf5-cxwm: Missing Defense-in-Depth HTTP Headers in ciguard Web UI

Vulnerability ID: GHSA-7WW3-XVF5-CXWM
CVSS Score: 4.3
Published: 2026-05-05

The ciguard Web UI (versions prior to 0.8.2) lacks essential HTTP security headers. This absence exposes the application to client-side attacks, including Clickjacking, potential Cross-Site Scripting (XSS) via lack of Content-Security-Policy (CSP), and supply-chain risks due to missing Sub-Resource Integrity (SRI) checks on external CDN assets.

TL;DR

ciguard < 0.8.2 is missing critical security headers like CSP and X-Frame-Options, allowing clickjacking and CDN-based attacks. The vulnerability was patched in version 0.8.2 by implementing custom security middleware.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-693, CWE-1021, CWE-353
• Attack Vector: Network
• CVSS v3.1 Score: 4.3 (Medium)
• User Interaction: Required (UI:R)
• Exploit Status: Proof of Concept (ZAP Scan)
• KEV Status: Not Listed

Affected Systems

• ciguard Web UI
• ciguard: >= 0.1.0, < 0.8.2 (Fixed in: 0.8.2)

Mitigation Strategies

• Upgrade the ciguard package to version 0.8.2 or higher.
• Implement an intermediate reverse proxy (e.g., Nginx, HAProxy) to inject standard HTTP security headers if direct patching is unavailable.

Remediation Steps:

1. Verify the currently installed version of ciguard in your environment.
2. Run the package manager update command to fetch version 0.8.2 or greater (e.g., pip install ciguard==0.8.3).
3. Restart the FastAPI/Uvicorn server process serving the Web UI.
4. Execute curl -sI http://localhost:8080/ | grep X-Frame to confirm the presence of the new headers.

References

• GitHub Advisory Page
• Original Security Advisory
• Release v0.8.2
• Release v0.8.3
• Project Repository

---

Read the full report for GHSA-7WW3-XVF5-CXWM on our website for more details including interactive diagrams and full exploit analysis.