Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Beghelli Sicuro24 SicuroWeb does not enforce a Content Security Policy, allowing unrestricted loading of external JavaScript resources from attacker-controlled origins. When chained with the template injection and sandbox escape vulnerabilities present in the same application, the absence of CSP removes the browser-enforced restriction that would otherwise block external script execution, enabling attackers to load arbitrary remote payloads into operator browser sessions.
AnalysisAI
Beghelli SicuroWeb (Sicuro24) lacks Content Security Policy enforcement, permitting unrestricted loading of external JavaScript from attacker-controlled origins. When combined with template injection and sandbox escape flaws in the same application, this missing security header removes browser-enforced protections that would otherwise prevent external script execution, enabling attackers to inject arbitrary remote payloads into operator sessions. Publicly available exploit code exists, and SSVC analysis confirms exploitability is achievable but not automatable, with partial technical impact.
Technical ContextAI
Content Security Policy (CSP) is a browser-enforced security mechanism that restricts the origins from which scripts, stylesheets, fonts, and other resources may be loaded into a webpage. The absence of CSP headers (CWE-693: Missing Authorization) is a control weakness rather than a direct code vulnerability, but becomes critical when paired with code injection flaws. In SicuroWeb, the lack of CSP combined with template injection vulnerabilities creates a multi-stage attack surface: template injection allows injecting script tags or event handlers, and without CSP, the browser will execute any external JavaScript loaded from attacker-controlled domains. The vulnerability is context-dependent on the presence of other flaws (template injection, sandbox escape) but removes a fundamental browser-based defense layer. This attack vector typically targets operator/administrator sessions where elevated privileges exist.
RemediationAI
Apply a vendor-supplied security patch or firmware update from Beghelli; contact Beghelli technical support or monitor their security advisory page (beghelli.it) for a patched version number. As an interim compensating control, implement a Web Application Firewall (WAF) rule set to inject Content-Security-Policy headers with 'default-src self; script-src self' (blocking external script loading) - note this requires WAF deployment in-path and does not address the underlying code injection flaws. Alternatively, restrict operator network access to SicuroWeb through network segmentation or a VPN with additional authentication, reducing the attack surface to trusted operator devices only. Conduct a comprehensive security assessment of SicuroWeb deployments to identify and patch the template injection and sandbox escape vulnerabilities referenced in the CVE description, as these are prerequisites for exploitation. Disable or restrict JavaScript execution in operator browsers if operationally feasible, though this may degrade SicuroWeb functionality.
More in Sicuroweb Sicuro24
View allSame weakness CWE-693 – Protection Mechanism Failure
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25077