A flaw was found in rubygem-secure_headers in versions prior to 6.2.0, 5.1.0, and 3.8.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection which could be used to override a script-src directive. The highest threat from this vulnerability is to data integrity.