The yelp-xsl component in Yelp features an overly permissive Content Security Policy, which may allow attackers to bypass intended security constraints.

The vulnerability stems from an insecure Content Security Policy (CSP) configuration within yelp-xsl. This flaw can be leveraged to facilitate cross-site scripting or other injection-based attacks, depending on the context of the implementation.

The CVSS score of 7.1 indicates a High severity risk. Successful exploitation could allow an attacker to execute malicious scripts within the user's browser context, potentially leading to session hijacking, data exfiltration, or unauthorized actions performed on behalf of the user.

Immediate Action: Update the yelp-xsl package to the latest version provided by the vendor to remediate the CSP configuration.

Proactive Monitoring: Review web application and browser-related access logs for anomalous traffic patterns or unexpected script execution attempts.

Compensating Controls: Deploy a robust Content Security Policy via HTTP headers as a defense-in-depth measure while awaiting internal package updates.

Public Exploit Available: false

Security teams must prioritize updating the yelp-xsl component across all affected systems. Failure to address this CSP misconfiguration leaves environments vulnerable to client-side attacks that can be difficult to detect once executed.