XSS in Rails

CVE-2024-54133

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.010 (58.1th percentile) — read the EPSS interpretation.

Affected products

  • Rails — versions >= 5.2.0, < 7.0.8.7, >= 7.1.0, < 7.1.5.1, >= 7.2.0, < 7.2.2.1

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2024-54133?
CVE-2024-54133 is a vulnerability in Rails, classified under Cross-site Scripting. Published 2024-12-10.
Is CVE-2024-54133 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.