CVE-2024-54133
Possible Content Security Policy bypass in Action Dispatch
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Possible Content Security Policy bypass in Action Dispatch
Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.
Reserved 2024-11-29 | Published 2024-12-10 | Updated 2024-12-11 | Assigner GitHub_MCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
github.com/.../rails/security/advisories/GHSA-vfm5-rmrh-j26v
github.com/...ommit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
github.com/...ommit/3da2479cfe1e00177114b17e496213c40d286b3a
github.com/...ommit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
github.com/...ommit/cb16a3bb515b5d769f73926d9757270ace691f1d
Support options
