11 matches found
CVE-2026-54163 secure_headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
secureheaders manages application of security headers with many safe defaults. Prior to 7.3.0, secureheaders builds the Content-Security-Policy value by stitching directives with ; separators, and buildsandboxlistdirective, buildmediatypelistdirective, and buildreporttodirective interpolate...
CVE-2026-54163
Summary: The vulnerability CVE-2026-54163 affects the Ruby gem secure_headers (pre-7.3.0). When applications feed untrusted input into CSP-related directives via override_content_security_policy_directives or related APIs, the three builders—build_sandbox_list_directive, build_media_type_list_dir...
Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Summary secureheaders builds the Content-Security-Policy value by stitching every configured directive together with ; separators. Three directive builders buildsandboxlistdirective, buildmediatypelistdirective, buildreporttodirective interpolate caller-supplied strings into that value without...
GHSA-RQQ5-2GF9-4W4Q Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input
Summary secureheaders builds the Content-Security-Policy value by stitching every configured directive together with ; separators. Three directive builders buildsandboxlistdirective, buildmediatypelistdirective, buildreporttodirective interpolate caller-supplied strings into that value without...
PT-2026-57369
Name of the Vulnerable Software and Affected Versions secure headers versions prior to 7.3.0 Description The software fails to properly sanitize caller-supplied strings when building the Content-Security-Policy CSP header. Specifically, the functions build sandbox list directive, build media type...
KiloView Encoder Series (Update A)
RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated attacker to create or delete administrator accounts, granting full administrative control. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of...
Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electrics Products
RISK EVALUATION Successful exploitation of this vulnerability could result in denial-of-service DoS, information tampering, and information disclosure. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:...
What to do when you click on a suspicious link
October is Cybersecurity Awareness Month, and as the tech-savvy friend or family member, people probably come to you for advice. One of the most common questions is: "I clicked a suspicious link. What do I do now?" Don't worry -- panic won't help, but a calm, step-by-step response will. Share thi...
Content Security Policy Missing 'Report-To'
Content Security Policy CSP is a web security standard that helps to mitigate attacks like cross-site scripting XSS, clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load. The 'report-to' directive allows websites to...
Phone Scammers Impersonating CISA Employees
Impersonation scams are on the rise and often use the names and titles of government employees. The Cybersecurity and Infrastructure Security Agency CISA is aware of recent impersonation scammers claiming to represent the agency. As a reminder, although CISA staff will occasionally contact...
Exploit for Embedded Malicious Code in Tukaani Xz
CVE-2024-3094-Vulnerabity-Checker Verify that your XZ Utils ve...