CVE-2022-22577

Name of the Vulnerable Software and Affected Versions Action Pack versions 5.2.0 through 5.2.7 Action Pack versions 6.0.0 through 6.0.4.7 Action Pack versions 6.1.0 through 6.1.5.0 Action Pack versions 7.0.0 through 7.0.2.3

Description The issue allows an attacker to bypass Content Security Policy (CSP) for non-HTML responses, potentially exposing users to cross-site scripting (XSS) attacks. This occurs because CSP headers were only sent with responses considered as "HTML" by Rails, leaving API requests without these headers.

Recommendations For Action Pack version 5.2.7 and earlier, update to version 5.2.7.1. For Action Pack version 6.0.4.7 and earlier, update to version 6.0.4.8. For Action Pack version 6.1.5.0 and earlier, update to version 6.1.5.1. For Action Pack version 7.0.2.3 and earlier, update to version 7.0.2.4. As a temporary workaround, consider setting a CSP for API responses manually until a patch is available.