VulnerableCode Package Details - pkg:npm/jquery-ujs@1.0.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-356q-csk2-8ug5 Aliases: CVE-2015-1840 GHSA-4whc-pp4x-9pf3	jquery-rails and jquery-ujs subject to Exposure of Sensitive Information jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.	1.0.4 Affected by 0 other vulnerabilities.
VCID-x5j5-g553-hudp Aliases: GHSA-6qqj-rx4w-r3cj GMS-2020-740	CSRF Vulnerability in jquery-ujs Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribute of a form tag triggering a POST action, the attacker can set the href or action to " https://attacker.com". By prepending a space to the external domain, it causes jQuery to consider it a same origin request, resulting in the user's CSRF token being sent to the external domain. ## Recommendation Upgrade jquery-ujs to version 1.0.4 or later.	1.0.4 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-356q-csk2-8ug5
Aliases:
CVE-2015-1840
GHSA-4whc-pp4x-9pf3

jquery-rails and jquery-ujs subject to Exposure of Sensitive Information jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.

1.0.4
Affected by 0 other vulnerabilities.

VCID-x5j5-g553-hudp
Aliases:
GHSA-6qqj-rx4w-r3cj
GMS-2020-740

CSRF Vulnerability in jquery-ujs Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribute of a form tag triggering a POST action, the attacker can set the href or action to " https://attacker.com". By prepending a space to the external domain, it causes jQuery to consider it a same origin request, resulting in the user's CSRF token being sent to the external domain. ## Recommendation Upgrade jquery-ujs to version 1.0.4 or later.

1.0.4
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T12:37:02.473736+00:00	GitLab Importer	Affected by	VCID-x5j5-g553-hudp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jquery-ujs/GMS-2020-740.yml	38.0.0
2026-04-01T16:54:45.400775+00:00	Npm Importer	Affected by	VCID-356q-csk2-8ug5	https://github.com/nodejs/security-wg/blob/main/vuln/npm/15.json	38.0.0
2026-04-01T15:58:24.070769+00:00	GHSA Importer	Affected by	VCID-x5j5-g553-hudp	https://github.com/advisories/GHSA-6qqj-rx4w-r3cj	38.0.0