CVE-2015-1840

Published Jul 26, 2015

Last updated 6 years ago

Overview

Description: jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
Source: secalert@redhat.com
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-200

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171"
          },
          {
            "criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:rubyonrails:jquery-rails:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7A148E0C-BADE-450D-8044-B14583213AEC",
            "versionEndIncluding": "3.1.2"
          },
          {
            "criteria": "cpe:2.3:a:rubyonrails:jquery-rails:4.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0B544B72-D665-436E-90C3-17330FAD49F3"
          },
          {
            "criteria": "cpe:2.3:a:rubyonrails:jquery-rails:4.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD5DBE03-32BD-4212-9987-57C3447B026D"
          },
          {
            "criteria": "cpe:2.3:a:rubyonrails:jquery-ujs:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "64FC6756-0214-4671-8E2A-C3BC63A13E04",
            "versionEndIncluding": "1.0.3"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F"
          },
          {
            "criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Configurations

References