CVE-2024-28103

Name of the Vulnerable Software and Affected Versions Action Pack versions 6.1.0 through 6.1.7.7 Action Pack versions 7.0.0 through 7.0.8.1 Action Pack versions 7.1.0 through 7.1.3.2

Description The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This issue is related to insufficient input validation, which may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability concerns non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Recommendations For Action Pack versions 6.1.0 through 6.1.7.7, update to version 6.1.7.8. For Action Pack versions 7.0.0 through 7.0.8.1, update to version 7.0.8.2. For Action Pack versions 7.1.0 through 7.1.3.2, update to version 7.1.3.3. As a temporary workaround, consider restricting access to non-HTML Content-Types until a patch is available. Apply the provided patches for the supported release series, such as 6-1-include-permissions-policy-header-on-non-html.patch, 7-0-include-permissions-policy-header-on-non-html.patch, or 7-1-include-permissions-policy-header-on-non-html.patch, to aid in immediately addressing the issue.