{"id":"CVE-2022-22577","details":"An XSS Vulnerability in Action Pack \u003e= 5.2.0 and \u003c 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.","aliases":["GHSA-mm33-5vfq-3mm3"],"modified":"2026-03-13T05:30:12.352283Z","published":"2022-05-26T17:15:09.133Z","references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20221118-0002/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5372"},{"type":"FIX","url":"https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-22577.json","unresolved_ranges":[{"events":[{"introduced":"5.2.0"},{"fixed":"5.2.7.1"}]},{"events":[{"introduced":"6.0.0"},{"fixed":"6.0.4.8"}]},{"events":[{"introduced":"6.1.0"},{"fixed":"6.1.5.1"}]},{"events":[{"introduced":"7.0.0"},{"fixed":"7.0.2.4"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}