Castarco

**Name of the Vulnerable Software and Affected Versions** Astro-Shield versions 1.2.0 through 1.3.1 **Description** Astro-Shield is an integration to enhance website security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques. The issue allows bypass to the allow-lists for cross-origin resources by introducing valid `integrity` attributes to the injected code, which would lead the browser to believe that the injected resource is legit. To exploit this, an attacker needs to first inject code into the rendered pages by exploiting other potential vulnerabilities. **Recommendations** For Astro-Shield versions 1.2.0 through 1.3.1, update to version 1.3.2 to patch the vulnerability. As a temporary workaround, consider not using the middleware functionality of Astro-Shield, or use it only for content that cannot be controlled in any way by external users.

**Name of the Vulnerable Software and Affected Versions** Astro-Shield versions prior to 1.3.0 **Description** Astro-Shield is a library used to compute subresource integrity hashes for JavaScript scripts and CSS stylesheets. When automated Content Security Policy (CSP) headers generation for Server-Side Rendering (SSR) content is enabled and the web application serves content that can be partially controlled by external users, there is a possibility that the CSP headers generation feature might allow malicious injected resources, such as inlined JavaScript or references to external malicious scripts. **Recommendations** For versions prior to 1.3.0, update to version 1.3.0 to resolve the issue. As a temporary workaround, consider disabling the automated CSP headers generation feature until a patch is available. Alternatively, use the CSP headers generation feature only for dynamically generated content that cannot be controlled by external users in any way.