VulnerableCode Package Details - pkg:gem/actionpack@7.2.1.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-g3rk-djae-pkeh Aliases: CVE-2024-54133 GHSA-vfm5-rmrh-j26v	Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report!	7.2.2.1 Affected by 0 other vulnerabilities. 8.0.0.beta1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.0.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-g3rk-djae-pkeh
Aliases:
CVE-2024-54133
GHSA-vfm5-rmrh-j26v

Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report!

7.2.2.1
Affected by 0 other vulnerabilities.

8.0.0.beta1
Affected by 3 other vulnerabilities.

8.0.0.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T17:41:16.657730+00:00	Ruby Importer	Affected by	VCID-g3rk-djae-pkeh	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml	38.4.0
2026-04-12T00:35:40.923435+00:00	GitLab Importer	Affected by	VCID-g3rk-djae-pkeh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/CVE-2024-54133.yml	38.3.0
2026-04-11T21:38:56.415074+00:00	Ruby Importer	Affected by	VCID-g3rk-djae-pkeh	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml	38.3.0
2026-04-03T00:43:27.485751+00:00	GitLab Importer	Affected by	VCID-g3rk-djae-pkeh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/CVE-2024-54133.yml	38.1.0
2026-04-02T19:36:41.751142+00:00	Ruby Importer	Affected by	VCID-g3rk-djae-pkeh	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml	38.1.0
2026-04-01T15:54:03.422467+00:00	Ruby Importer	Affected by	VCID-g3rk-djae-pkeh	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml	38.0.0