CVE-2024-54133Cross-site Scripting in Project Actionpack

CWE-79Cross-site Scripting8 documents7 sources
Severity
2.3LOWNVD
EPSS
0.2%
top 59.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActionpack Project ActionpackRails
Timeline
PublishedDec 10
Latest updateFeb 6

Description

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass o

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

RubyGemsactionpack_project/actionpack5.2.07.0.8.7+3
Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u3+3
CVEListV5rails/rails4 versions+3

🔴Vulnerability Details

4
GHSA
Possible Content Security Policy bypass in Action Dispatch2024-12-10
OSV
CVE-2024-54133: Action Pack is a framework for handling and responding to web requests2024-12-10
CVEList
Possible Content Security Policy bypass in Action Dispatch2024-12-10
OSV
Possible Content Security Policy bypass in Action Dispatch2024-12-10

📋Vendor Advisories

2
Red Hat
actionpack: Possible Content Security Policy bypass in Action Dispatch2024-12-10
Debian
CVE-2024-54133: rails - Action Pack is a framework for handling and responding to web requests. There is...2024

💬Community

1
HackerOne
[CVE-2024-54133] Possible Content Security Policy bypass in Action Dispatch2025-02-06
CVE-2024-54133 — Cross-site Scripting | cvebase