CVE-2024-54133

Name of the Vulnerable Software and Affected Versions Action Pack versions 5.2.0 through 7.0.8.6 Action Pack versions 7.0.8.7 through 7.1.5.0 Action Pack versions 7.1.5.1 through 7.2.2.0 Action Pack versions 7.2.2.1 through 8.0.0.0

Description The issue is related to the content security policy helper in Action Pack, which may allow an attacker to conduct Cross Site Scripting (XSS) attacks by injecting new directives into the Content-Security-Policy (CSP) headers. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Applications that set CSP headers dynamically from untrusted user input may be vulnerable.

Recommendations For Action Pack versions 5.2.0 through 7.0.8.6, update to version 7.0.8.7 or later. For Action Pack versions 7.0.8.7 through 7.1.5.0, update to version 7.1.5.1 or later. For Action Pack versions 7.1.5.1 through 7.2.2.0, update to version 7.2.2.1 or later. For Action Pack versions 7.2.2.1 through 8.0.0.0, update to version 8.0.0.1 or later. As a temporary workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.