Search for packages
| purl | pkg:npm/jquery-ujs@1.0.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-356q-csk2-8ug5 | jquery-rails and jquery-ujs subject to Exposure of Sensitive Information jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. |
CVE-2015-1840
GHSA-4whc-pp4x-9pf3 |
| VCID-k1jn-jwbx-qya1 | CSRF vulnerability In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the nhref or action to " https://attacker.com" (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user's CSRF token to the attacker domain. |
GMS-2015-14
|
| VCID-x5j5-g553-hudp | CSRF Vulnerability in jquery-ujs Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribute of a form tag triggering a POST action, the attacker can set the href or action to " https://attacker.com". By prepending a space to the external domain, it causes jQuery to consider it a same origin request, resulting in the user's CSRF token being sent to the external domain. ## Recommendation Upgrade jquery-ujs to version 1.0.4 or later. |
GHSA-6qqj-rx4w-r3cj
GMS-2020-740 |