CVE-2024-54133

LOW

Action Pack <7.0.8.7, <7.1.5.1, <7.2.2.1, <8.0.0.1 - XSS

Title source: llm
STIX 2.1

Description

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

References (6)

Core 6

Scores

CVSS v4 2.3
EPSS 0.0024
EPSS Percentile 46.7%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (5)
rails/rails >= 5.2.0, < 7.0.8.7
rails/rails >= 7.1.0, < 7.1.5.1
rails/rails >= 7.2.0, < 7.2.2.1
rails/rails >= 8.0.0, < 8.0.0.1
rubygems/actionpack 5.2.0 - 7.0.8.7RubyGems
Published Dec 10, 2024
Tracked Since Feb 18, 2026