Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/jquery-ujs@1.0.2
Typenpm
Namespace
Namejquery-ujs
Version1.0.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.0.4
Latest_non_vulnerable_version1.0.4
Affected_by_vulnerabilities
0
url VCID-k1jn-jwbx-qya1
vulnerability_id VCID-k1jn-jwbx-qya1
summary 
CSRF vulnerability
In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the nhref or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain.
references
0
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
reference_id
reference_type
scores
url https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
fixed_packages
0
url pkg:npm/jquery-ujs@1.0.4
purl pkg:npm/jquery-ujs@1.0.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jquery-ujs@1.0.4
aliases GMS-2015-14
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k1jn-jwbx-qya1
1
url VCID-x5j5-g553-hudp
vulnerability_id VCID-x5j5-g553-hudp
summary 
CSRF Vulnerability in jquery-ujs
Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains.

When an attacker controls the href attribute of an anchor tag, or
the action attribute of a form tag triggering a POST action, the attacker can set the
href or action to " https://attacker.com". By prepending a space to the external domain, it causes jQuery to consider it a same origin request, resulting in the user's CSRF token being sent to the external domain.


## Recommendation

Upgrade jquery-ujs to version 1.0.4 or later.
references
0
reference_url https://groups.google.com/forum/#!msg/rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!msg/rubyonrails-security/XIZPbobuwaY/fqnzzpuOlA4J
1
reference_url https://hackerone.com/reports/49935
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/49935
2
reference_url https://snyk.io/vuln/npm:jquery-ujs:20150624
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/npm:jquery-ujs:20150624
3
reference_url https://www.npmjs.com/advisories/15
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/15
4
reference_url https://github.com/advisories/GHSA-6qqj-rx4w-r3cj
reference_id GHSA-6qqj-rx4w-r3cj
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6qqj-rx4w-r3cj
fixed_packages
0
url pkg:npm/jquery-ujs@1.0.4
purl pkg:npm/jquery-ujs@1.0.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/jquery-ujs@1.0.4
aliases GHSA-6qqj-rx4w-r3cj, GMS-2020-740
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x5j5-g553-hudp
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/jquery-ujs@1.0.2