CVE-2024-54133: Possible Content Security Policy bypass in Action Dispatch

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-54133

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Possible Content Security Policy bypass in Action Dispatch

Source: NVD (National Vulnerability Database)

Vulnerability Description

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Rails Action Pack 跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Rails Action Pack是美国Rails团队的一个web框架。提供了路由机制（将请求URL映射到动作），定义实现动作的控制器以及通过渲染视图（各种格式的模板）生成响应的机制。 Rails Action Pack存在跨站脚本漏洞，该漏洞源于content_security_policy助手能按不可信用户输入动态设置CSP头部，从而导致绕过CSP及失去对跨站脚本等攻击的防护。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
rails	rails	>= 5.2.0, < 7.0.8.7	-

II. Public POCs for CVE-2024-54133

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-54133

Please Login to view more intelligence information

https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26vx_refsource_CONFIRM
https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3ax_refsource_MISC
https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1dx_refsource_MISC
https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49x_refsource_MISC
https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-54133

IV. Related Vulnerabilities

Same product: rails

Same vendor: rails

Same weakness: CWE-79

V. Comments for CVE-2024-54133

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-54133

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-54133

III. Intelligence Information for CVE-2024-54133

IV. Related Vulnerabilities

V. Comments for CVE-2024-54133

Leave a comment