VIR Vulnerability Intelligence Relay

CVE-2024-54133

unknown
Published 2024-12-10 · Modified 2025-03-07
CVSS v3
CVSS v2
VIR risk

Description

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-54133

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed2:6.1.7.10+dfsg-1~deb12u1
debian debianbullseyefixed2:6.0.3.7+dfsg-2+deb11u3
debian debianforkyfixed2:7.2.2.1+dfsg-1
debian debiansidfixed2:7.2.2.1+dfsg-1
debian debiantrixiefixed2:7.2.2.1+dfsg-1

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsactionpack!< 5.2.0||<~> 7.0.8, >= 7.0.8.7~> 7.0.8, >= 7.0.8.7
ruby RubyGemsactionpack>=5.2.0,<7.0.8.77.0.8.7
ruby RubyGemsactionpack>=7.1.0,<7.1.5.17.1.5.1
ruby RubyGemsactionpack>=7.2.0,<7.2.2.17.2.2.1
ruby RubyGemsactionpack>=8.0.0,<8.0.0.18.0.0.1

References

Verify integrity in audit chain (admin only). AS-IS.