Thorsteneckel

**Name of the Vulnerable Software and Affected Versions** Action Pack versions 5.2.0 through 5.2.7 Action Pack versions 6.0.0 through 6.0.4.7 Action Pack versions 6.1.0 through 6.1.5.0 Action Pack versions 7.0.0 through 7.0.2.3 **Description** The issue allows an attacker to bypass Content Security Policy (CSP) for non-HTML responses, potentially exposing users to cross-site scripting (XSS) attacks. This occurs because CSP headers were only sent with responses considered as "HTML" by Rails, leaving API requests without these headers. **Recommendations** For Action Pack version 5.2.7 and earlier, update to version 5.2.7.1. For Action Pack version 6.0.4.7 and earlier, update to version 6.0.4.8. For Action Pack version 6.1.5.0 and earlier, update to version 6.1.5.1. For Action Pack version 7.0.2.3 and earlier, update to version 7.0.2.4. As a temporary workaround, consider setting a CSP for API responses manually until a patch is available.