DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-54133

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-54133

CGA ID

CGA-v87g-7687-jjrw

Severity

Unknown

Summary

Possible Content Security Policy bypass in Action Dispatch

Description

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

References

Affected packages


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images